CISA warns local, tribal governments about Russian state-sponsored cyberattacks
The Cybersecurity and Infrastructure Security Agency (CISA) released an alert on Tuesday detailing a variety of tactics used by Russian state-sponsored groups to attack local and tribal governments across the US between September 2020 and December 2020.
When pressed on why the guide was being released now and which local governments were attacked in 2020, CISA said it was part of their “continuing cybersecurity mission” with “interagency partners to warn organizations of potential criminal or nation state cyber threats.”
“As described in the advisory, Russian state-sponsored actors have targeted a variety of US and international critical infrastructure organizations over the years. This guidance is being released to broadly share known tactics, techniques, and procedures, and encourage network defenders to take recommended actions,” a CISA spokesperson said.
The alert said Russian state-sponsored advanced persistent threat (APT) actors have generally targeted US and international critical infrastructure organizations, but it also said the “high-profile cyber activity” revolved around the attacks on state, local, tribal, and territorial (SLTT) governments and aviation networks in the fall of 2020.
CISA said the groups “targeted dozens of SLTT government and aviation networks” and were able to successfully compromise networks before exfiltrating data from an unknown number of victims.
The US cybersecurity agency also said APT groups conducted “multi-stage intrusion” campaigns across multiple companies in the energy sector, deploying ICS-focused malware and collecting enterprise and ICS-related data from 2011 to 2018.
The notice includes a range of advice for organizations as they try to protect themselves and their systems. CISA, the FBI, and the NSA also released a full list of vulnerabilities that Russian state-sponsored groups typically use to gain initial access to target networks.
The US is still in the process of recovering from the SolarWinds scandal, which saw Russian government groups gain widespread access to 100 government contractors and multiple agencies including the State Department, Department of Homeland Security, National Institutes of Health, the Pentagon, the Treasury Department, the Department of Commerce, the Department of Energy and the National Nuclear Security Administration.
Rep. Carolyn Maloney, chairwoman of the House Committee on Oversight and Reform, held a hearing on Tuesday about efforts to strengthen the Federal Information Security Management Act (FISMA), which would force federal agencies to improve their cybersecurity standards.
Maloney noted that FISMA hasn’t been updated since 2014 and that federal agencies reported 30,819 cybersecurity incidents in 2020 alone.
The CISA release also comes as the US and Russia spar over multiple issues in Ukraine and Kazakhstan. The alert cites previously reported attacks by Russian groups on critical infrastructure in Ukraine. A US Homeland Security report from 2016 said 225,000 customers were left without power two days before Christmas because of the Russian attack on three regional electric power distribution companies.
CISA explained on Tuesday that the Russian groups involved in the attack used the BlackEnergy malware to steal user credentials, and then they used its malware component KillDisk to make infected computers inoperable.
“In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids,” the CISA alert said.
Chris Krebs, the former director of CISA, tweeted about the alert, saying, “State and NSC are in Geneva right now trying to keep the Russians out of Ukraine, but in case that doesn’t work, you might want to prepare for badness…”