The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom (US Cybersecurity and Infrastructure Security Agency, the US Federal Bureau of Investigation, US National Security Agency, Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand’s National Cyber Security Centre, UK National Cyber Security Centre, and the UK National Crime Agency, respectively) are releasing this joint Cybersecurity Advisory (CSA).
The intent of this joint CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as material support provided by the United States and U.S. allies and partners.
“Evolving intelligence indicates that the Russian government is exploring options for potential cyber attacks,” the agencies said.
They said that some cybercrime and cyber threat groups have recently publicly pledged support for the Russian government in light of its invasion into Ukraine. These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government and the Russian people, the advisory states.
Some groups have also threatened to conduct cyber operations against countries and organisations providing materiel support to Ukraine, while other groups have conducted disruptive attacks against Ukrainian websites as well.
Among the identified cybercrime groups that have aligned with the Russian government are The CoomingProject, Killnet, Mummy Spider, Salty Spider, Scully Spider, Smokey Spider, Wizard Spider, and the Xaknet Team.
Meanwhile, Primitive Bear and Venomous Bear have been flagged as Russian-aligned cyber threat groups that have not been attributed to the Russian government.
Since the Ukraine invasion, the Five Eye cybersecurity authorities have also detected malicious cyber operations against IT networks from various Russian government entities. These include the Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18, the Russian Foreign Intelligence Service, Russian General Staff Main Intelligence Directorate, GRU’s Main Center of Special Technologies, Russian Ministry of Defense, and the Central Scientific Institute of Chemistry and Mechanics.
In light of this malicious activity, the Five Eyes cybersecurity authorities have urged critical infrastructure network defenders to prepare for potential cyber threats — including destructive malware, ransomware, DDoS attacks, and cyber espionage — by hardening their cyber defences and performing due diligence in identifying indicators of malicious activity.
To protect against this growing cyber threat landscape, the Five Eyes authorities have called for organisations to immediately take four precautions.
The first is to update software, including operating systems, applications, and firmware, on IT network assets. According to the Five Eyes authorities, this would entail prioritising patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. They also recommended for IT networks to consider using a centralised patch management system and for OT networks to use a risk-based assessment strategy to determine the OT network assets and zones that should participate in patch management programs.
The second precaution is to enforce multi-factor authentication to the greatest extent possible and require accounts with password logins, including service accounts, to have strong passwords.
The remaining two calls for organisations to provide end-user awareness training and for users of remote desktop protocols to secure and monitor these more risky protocols closely.
“RDP exploitation is one of the top initial infection vectors for ransomware, and risky services, including RDP, can allow unauthorized access to your session using an on-path attacker,” the advisory states.
Prior to this warning, US President Joe Biden had already urged local organisations last month to bolster their cyber defence efforts as Russia has been considering conducting cyber attacks in retaliation to sanctions imposed against the country for its invasion into Ukraine.
“Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook,” Biden said at the time.
“My administration is reiterating those warnings based on evolving intelligence that the Russian government is exploring options for potential cyber attacks.”