CISA has published a joint Cybersecurity Advisory (CSA) which is coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE). This advisory provides information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018. These targeted both U.S. and international Energy Sector organizations. Much of the content in this blog post is sourced directly from the CISA joint alert.
On March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) employee for their involvement in the following intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies.
Global Energy Sector Intrusion Campaign, 2011 to 2018: the FSB conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.
- One of the indicted FSB officers was involved in campaign activity that involved deploying Havex malware to victim networks.
- The other two indicted FSB officers were involved in activity targeting U.S. Energy Sector networks from 2016 through 2018.
Compromise of Middle East-based Energy Sector organization with TRITON Malware, 2017: Russian cyber actors with ties to the TsNIIKhM gained access to and leveraged TRITON (also known as HatMan) malware to manipulate a foreign oil refinery’s ICS controllers. TRITON was designed to specifically target Schneider Electric’s Triconex Tricon safety systems and is capable of disrupting those systems. Schneider Electric has issued a patch to mitigate the risk of the TRITON malware’s attack vector; however, network defenders should install the patch and remain vigilant against these threat actors’ TTPs.
- The indicted TsNIIKhM cyber actor is charged with attempting to access U.S. protected computer networks and to cause damage to an energy facility.
- The indicted TsNIIKhM cyber actor was a co-conspirator in the deployment of the TRITON malware in 2017.
This CSA provides the TTPs used by indicted FSB and TsNIIKhM actors in cyber operations against the global Energy Sector. Specifically, this advisory maps TTPs used in the global Energy Sector campaign and the compromise of the Middle East-based Energy Sector organization to MITRE ATT&CK frameworks.
CISA, the FBI, and DOE assess that state-sponsored Russian cyber operations continue to pose a threat to U.S. Energy Sector networks. CISA, the FBI, and DOE continue to urge the Energy Sector and other critical infrastructure organizations to apply the recommendations listed in the Mitigation’s section of this advisory and Appendix A.
For more information on Russian state-sponsored malicious cyber activity, see CISA’s Russia Cyber Threat Overview and Advisories webpage. For more information on the threat of Russian state-sponsored malicious cyber actors to U.S. critical infrastructure as well as additional mitigation recommendations, see joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure and CISA’s Shields Up Technical Guidance webpage.
DNS Remains a Prominent Attack Vector
This CISA joint alert notes that MITRE ATT&CK Command Control Tactic TA0011 has been observed, and specifically, the use of Data Encoding: Standard Encoding Technique T1132.001. As noted in our previous blog, https://blogs.infoblox.com/security/mitre-attck-and-dns/ Technique T1132.001 can utilize DNS in support of establishing and maintaining Command and Control. As always, DNS is part of the threat actor’s toolkit.
DNS is frequently used during the execution of most cyberattacks. This can include ransomware, use as a C&C channel, and for malware download and subsequent data exfiltration. All environments and workers can benefit from DNS security for visibility and protection against cyberattacks. This can include remote workers, cloud, and on-premises environments.
Russian nation state sponsored threat actors may use malicious domains and IP addresses that could already have a reputation and may be identified by using threat intelligence on your DNS infrastructure. In addition, the behavior and context of DNS queries may provide the essential indicators you need to identify and stop a zero-day attack and more advanced threats.
DNS logs are a source of truth to determine what resources and websites a client has been accessing historically. Contextual data is provided by DHCP fingerprint and IPAM metadata on compromised devices. This highly useful information can include the type of device, operating system information, network location and both current and historical IP address allocations. This information helps the security operations center team more effectively perform event correlation and the scope of an ongoing breach.
A June 2021 Gartner report recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms.
To find out more about how Infoblox can help protect your DNS infrastructure please reach out to us via https://info.infoblox.com/contact-form/.
To read the CISA alert directly, please refer to: https://www.cisa.gov/uscert/ncas/alerts/aa22-083a
Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.
Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to firstname.lastname@example.org or (888) 282-0870.