A joint threat assessment has been published by cybersecurity agencies in the United States, Australia, Canada, New Zealand, and the United Kingdom warning about the threat of cyberattacks by Russian state-sponsored hacking groups and pro-Russian hacking groups. Russian hacking groups are currently engaged in cyberattacks in Ukraine; however, there is concern that cyberattacks could be conducted beyond the Ukraine region in response to the unprecedented economic sanctions imposed on Russia over the war with Ukraine.
According to the alert, intelligence gathered in the United States indicates the Russian government has been exploring the potential for cyberattacks on critical infrastructure organizations, although no attacks have been conducted so far. The alert names several Russian agencies that are known to engage in malicious cyber activity, such as the Russian Federal Security Service (FSB) aka Berserk Bear; the Russian Foreign Intelligence Service (SVR) aka APT29/Cozy Bear; the Russian General Staff Main Intelligence Directorate (GRU) aka APT28/Fancy Bear and Sandworm; and the Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM) aka Xenotime. Previous malicious cyber activity has included distributed denial of Service (DDoS) attacks and the use of destructive wiper malware.
A warning has also been issued about the threat of attacks by pro-Russian cybercrime groups in retaliation for perceived cyberattacks on the Russian government and Russian people. Several cybercrime groups have pledged their support for Russia and have threatened to conduct destructive cyberattacks on countries and organizations that are assisting Ukraine by providing weapons and support services.
The alert warns about the potential for cyberattacks by the Russian-aligned cyber threat group, Primitive Bear, which has been targeting Ukrainian organizations since at least 2013, and Venomous Bear, a cybercrime group that has previously targeted governments aligned with NATO. Other cybercriminal groups named in the alert include the extortion specialists, The CoomingProject; Killnet, which has conducted a DDoS attack on a U.S. airport; the operator of the Emotet Botnet, Mummy Spider; the Sality botnet operator, Salty Spider; the DanaBot botnet operator and malware-as-a-service threat group Scully Spider; the SmokeLoader malware operator, Smokey Spider; the TrickBot and Conti ransomware operator, Wizard Spider; and the Russian-speaking threat group, The Xaknet Team. All of these threat groups have publicly stated support for the Russian government, and many have threatened to attack critical infrastructure organizations of countries perceived to be carrying out cyberattacks on the Russian Government or Russian people, or who are perceived to be involved in a war against the Russian Government.
The alert provides detailed information on these threat groups, their tactics, techniques, and procedures (TTP), and a long list of mitigations and recommendations for preventing, detecting and responding to attacks.
You can view the alert here: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure.