The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Canadian Centre for Cyber Security, Department of Defense Cyber Crime Center (DC3), Europol, and cybersecurity organizations across Europe have published a joint cybersecurity notification concerning pro-Russian hacktivists conducting cyberattacks on critical infrastructure.
Unlike attacks by many financially driven threat actors and sophisticated persistent threat groups, the attacks are rather unsophisticated. Besides attacking critical infrastructure organizations as identified enemies of Russia, the attacks are opportunistic instead of targeted. Based on the authoring organizations, the attacks are opportunity-motivated by simplicity of access, targeting identified unpatched vulnerabilities in Internet-facing systems, particularly minimally secured Internet-facing desktop-sharing systems and virtual network computing (VNC) connections. The hacktivist groups generally employ readily replicable and unsophisticated strategies for preliminary access.
Although the attacks are a reduced impact compared to those performed by APT actors, the purpose is interruption to critical infrastructure entities’ operations, possibly also causing physical ruin. Attacks can be coupled with DDoS attacks, and the attackers strongly pursue visibility, increasing their activities and even claiming malicious attacks. Though claims of attacks could be completely manufactured, any such case must be investigated. Although sectors like food and agriculture, water and wastewater systems, and energy deal with the greatest possibility of attack, the extensive, indiscriminate strategy has made it possible for the groups to attack a variety of critical infrastructure sectors. The healthcare and public health sector, including HIPAA-covered entities, is included in critical infrastructure entities facing a greater risk of attack.
CISA Executive Assistant Director for Cybersecurity Nick Andersen stated that the pro-Russia hacktivist groups pointed out in this notice have shown motive and ability to cause real harm on vulnerable networks. Besides using the suggested mitigations and carefully checking their security settings, all OT device manufacturers should prioritize secure-by-design guidelines, considering that starting with security is important to lowering risk and protecting the country’s most important systems.
Good cyber threat facts sharing between the private industry and the federal government, adopting suggested procedures, and good and intense enforcement action by the FBI and other organizations will help minimize the danger. Companies must also upgrade, combine, and regularly check emergency readiness, cyber incident response, and medical continuity programs in case the technology shutdown is prolonged, impacting hospitals directly or indirectly by means of a cyberattack on mission-critical organizations.
Key steps advised by the authoring organizations are lowering the exposure of resources to the public-facing Internet; implementing adult resource management processes, which include mapping information flows and access points; using network separation, particularly between IT and OT systems; and making sure all resources use strong authentication procedures.
The alert was issued a couple of days after a CISA and NSA notification regarding the BRISCKSTORM Backdoor, which is being implemented by state-sponsored attackers from the People’s Republic of China (PRC) in attacks on VMware vSphere as well as on Windows cloud solutions.
Image credit: Vadim, AdobeStock
