Russia's Invasion of Ukraine and CISA/FBI's New Era of Transparency

BLUF: Bottom Line Up Front

I want to start this post with the most important thing right up top:

The CISA.gov/Shields-Up page starts with this statement.  PLEASE take it seriously, and escalate to your top management:

"Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as warning to prevent other organizations and entities from falling victim to a similar attack."

Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to report@cisa.gov or (888) 282-0870.

Second "Bottom Line Up Front" BLUF point:  CISA has released TTP's of Russian threat actors known to attack US Critical Infrastructure.  If you work there, skip this blog and go read their report first!
"Alert (AA22-083A):  Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector."

CISA/FBI and the New Era of Transparency

 Anyone who has seen one of my presentations recently knows that I am a huge cheerleader for CISA.gov, the Cybersecurity & Infrastructure Security Agency at DHS, which replaced the National Protection and Programs Directorate (NPPD) that previously led private sector engagement and interaction for DHS.

Previously, I've asked people to make sure someone in their organizations was watching four critical information sharing pages at CISA.  

• https://www.cisa.gov/uscert/ncas/current-activity
• https://www.cisa.gov/uscert/ncas/alerts
• https://www.cisa.gov/uscert/ncas/bulletins
• https://www.cisa.gov/uscert/ncas/analysis-reports

I had already said publicly many times that they are doing a PHENOMENAL job of sharing information - unprecedented in my 22 years of working with the government on Critical Infrastructure Protection, from Ron Dick and the NIPC (National Infrastructure Protection Center), serving on the national boards of InfraGard and the Energy ISAC, and interacting with FS-ISAC (Financial Services), H-ISAC (Healthcare), and REN-ISAC (Research and Education).  But now CISA (and the FBI) has taken Information Sharing to a whole new level.

The White House on Russian Cyber Threats

It started with the White House.  On March 21st, President Biden stated that there was "evolving intelligence that the Russian Government is exploring options for potential cyberattacks." Based on this new intelligence, the administration gave the order that thing that were not previously shared needed to be shared at an even higher level of detail and specificity, including things that were previously deemed too sensitive to share in an unclassified environment. 

That same day, Press Secretary Jen Psaki brought in Anne Neuberger, the Deputy National Security Advisor over Cyber and Emerging Technologies.  She stated that in the past week, CISA and the FBI had held meetings with 100+ Critical Infrastructure Companies to determine a best course forward in helping to protect critical infrastructure, including encouraging them to participate in the CISA Shields-Up! program. 

The White House also released a FACT SHEET: Act Now to Protect Against Potential Cyberattacks

• Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
• Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;
• Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
• Back up your data and ensure you have offline backups beyond the reach of malicious actors;
• Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
• Encrypt your data so it cannot be used if it is stolen;
• Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
• Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.

After this set of announcements, CISA.gov's director, Jen Easterly, convened a meeting that was attended by more than 13,000 Critical Infrastructure stakeholders from all across the United States, including every sector and every size. A recording of the CISA CALL WITH CRITICAL INFRASTRUCTURE PARTNERS ON POTENTIAL RUSSIAN CYBER ATTACKS AGAINST THE UNITED STATES has been shared on their YouTube page!

During the call, which included FBI Deputy Assistant Director for Cyber, Tonya Ugoretz, and CISA Deputy Executive Assistant Director for Cyber, Matt Hartman,  Director Easterly committed to push to have even more sensitive data released to the public if it would possibly help protect American Critical Infrastructure.  And today, we see a great example of that!

Documentation of Two Historical Hacking Campaigns Against Critical Infrastructure

The FBI and the Department of Justice released the legal side, in the form of an extremely detailed press release about Russian hacking campaigns targeting Critical Infrastructure at hundreds of companies in 135 countries.

https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical

The Press Release was accompanied by two indictments: 

The first, "USA v. Evgeny Viktorovich Gladkikh," (17-page indictment) details the origins, creation, and distribution of the "TRITON" malware.  This attack framework was described in great depth in December 2017 by Mandiant in their report "Attackers Deploy New ICS Attack Framework 'Triton' and Cause Operational Disruption to Critical Infrastructure." While Mandiant described the malware as "an attack framework built to interact with Triconex Safety Instrumented System controllers," they could only say they believed it was "activity consistent with a nation state preparing for an attack." 

Through the new transparency we are seeing, the full details of the indictment are now unsealed and we learn the attacks were conceived and executed from the Russian Ministry of Defense, Federal Service for Technical and Expert Control, in a lab known as the Applied Development Center, which was in turn part of TsNIIKhM, the State Research Center of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics.  

The second indictment, "USA v. Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov," (36 page indictment) is targeted at members of the Federal Security Service (FSB)'s "Military Unit 71330" also known as "Center 16." Members of this lab are better known by their flamboyant APT Designations:  Dragonfly, Berzerk Bear, Energetic Bear, and Crouching Yeti.  In particular, this indictment addresses their attacks in 2017 which attempted to target and compromise critical infrastructure and energy companies worldwide, including in the USA generally, and in Kansas in particular (the home office of the indictment.) 

Again, the new transparency shows us that these attacks, also known as Dragonfly, Havex, and Dragonfly 2.0, were supply chain attacks, where various ICS/SCADA system manufacturers had their software manipulated to include malicious backdoors which would be downloaded by unsuspecting customers. Through this campaign, at least 17,000 unique devices in the US and elsewhere were compromised, including ICS/SCADA controllers used by power and energy companies. In 2.0, malware was delivered via Spear-phishing attacks and Watering hole attacks targeting employees of such companies. At least 3,300 systems were compromised using this methodology as well. 

Some of the groups attacked in this way included the Nuclear Regulatory Commission, WolfCreek Nuclear Operation Corporation in Burlington, Kansas, Westar Energy, in Topeka, Kansas, and the Kansas Electric Power Cooperative. 

Again, Havex was known to the security community.  Trend Micro wrote about it in their report "HAVEX Targets Industrial Control Systems" back in July 2014, and in more detail in their white paper "Who's Really Attacking Your ICS Equipment?"  Dragonfly 2.0 was similarly discussed, for example by Symantec, in their report "Dragonfly: Western energy sector targeted by sophisticated attack group" in October 2017.  WIRED magazine also wrote about the group Berzerk Bear in October 2020 in their article "The Russian Hackers Playing Chekov's Gun with US Infrastructure." 

But now, in a coordinated Information Sharing To Protect Our Nation blitz, CISA, working with the FBI and the Department of Energy, have released "Alert (AA22-083A):  Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector."