Learning from past Russian cyberattack campaigns to protect against future ones

Courtesy of CFE Media and Technology
Courtesy of CFE Media and Technology

On March 24, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Department of Energy (DOE) released a joint Cybersecurity Advisory (CSA) providing information on previous Russian cyberattack campaigns spanning from 2011 to 2018 and offering tips to help workplaces mitigate cybersecurity risk.

Past Russian cyberattack campaigns

The United States government recently released information about charges levied against several Russian Federal Security Service (FSB) officers and a Russian employee as they pertain to the following cyber campaigns:

Global Energy Sector Intrusion Campaign

This was a Russian effort to collect information and data from the U.S. and international energy sector networks. The malware used was Havex, an industrial control system (ICS)-based strain.

The attackers infiltrated third-party networks to access energy sector credentials. From there, they entered the enterprise networks, where they were able to obtain important ICS and operational technology (OT) information.

TRITON Malware Campaign

TRITON — which CISA describes as a “custom-built, sophisticated, multi-stage malware” — was used by several Russian employees at the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM).

These threat actors used TRITON malware to compromise an oil refinery in the Middle East. The malware added additional code to the safety software, Schneider Electric’s Triconex Tricon safety system, which allowed the attackers to disable it. This resulted in the refinery being shut down for several days. The refinery later patched its software to better protect its systems.

Tips to mitigate cyberattacks

The CISA alert gives many tips on how to protect against incoming cyberattacks, in both an enterprise environment and an industrial control system environment.

In an enterprise environment, the alert recommends:

  • Using and enforcing multifactor identification
  • Separating certain parts from the main network to help keep sensitive information isolated from the rest
  • Regularly auditing systems and software to find weak points that need to be patched.

In an industrial control system environment, the alert recommends:

  • Consistently updating all software and patching any weak points
  • Instituting robust security to prevent unauthorized personnel from entering the facility or restricted area
  • Implementing network segmentation between informational technology (IT) and ICS to limit the spread of a cyberattack should one system be compromised.

Industry expert and YouAttest CEO Garret Grajek shared his thoughts on the CSA alert, saying: “The new recommendations of CISA are improvements on the general wording. What is heartening about this messaging is the focus on privilege accounts and auditing. All of the 16 CISA-identified critical infrastructure sectors must take these necessary proactive measures to ensure that hackers aren’t already in their systems.”




Keep your finger on the pulse of top industry news