Federal agencies, including the Cybersecurity and Infrastructure Security Agency (“CISA”), the National Security Agency (“NSA”), and the Federal Bureau of Investigations (“FBI”) issued a joint alert this week warning of the threat of Russian state-sponsored cyber-attacks targeting critical infrastructure, including healthcare, energy, telecommunications, and government facilities. The alert described common cyber tactics, techniques, and procedures that may be used, and actions organization should take immediately to strengthen their cyber programs.
Threat Details and Known Tactics
Russian state-sponsored hackers have historically used common tactics to deploy their attacks, including spear-phishing and brute force attacks, along with exploitations of known vulnerabilities, such as compromised third-party systems and software. Attackers are also developing and deploying custom malware, which is often more difficult to detect and diagnose.
Russian hackers spend long amounts of undetected time in networks prior to an attack, often entering with legitimate (yet compromised) credentials, and collecting information, including sensitive, proprietary information, to be later used in the attack as leverage. For example, in a ransomware attack, the hackers may use double extortion tactics: they require the company to pay to de-encrypt systems but also pay to prevent the hackers from releasing sensitive information.
Particularly troubling for critical infrastructure, attackers are targeting operational technology and industrial control systems, which can have significant impacts on physical operations, safety, and social infrastructure.
How to Prepare and Respond to Threats
Critical infrastructure organizations should adopt a heightened state of awareness and proactively detect and address threats and vulnerabilities. Proactive preparation is key to prevention and a successful response should an incident arise.
Organizations should consider the following when assessing their current security and incident response posture:
Security Governance: Strengthen overall security posture and security governance, including following best practices around protective controls and vulnerability and access management, such as:
- Implementing network segmentation between IT and OT networks and environments; changing OT hardware to read-only when possible; and isolate OT networks to the extent possible and practical
- Requiring multi-factor authentication for all users
- Having a strong password and credential storage policy
- Enabling strong filters to prevent phishing emails from reaching end-users and filtering emails containing executable, batch, or other threating files or links
- Ensuring up-to-date patching and software upgrades
- Setting anti-virus/anti-malware programs to conduct regular scans
- Utilizing endpoint detection tools across all systems to the extent possible
- Verifying and validating back-up systems for all production servers and ensure the back-up data is encrypted and isolated
Security and Network Monitoring: Given the typical pattern of hackers remaining dormant in environments undetected prior to an attack, early detection is particularly important. Organizations should actively monitor logs for suspicious activities like: multiple login failures; password spray activity; unusual authentication requests; and evidence and artifacts from known Russian state-sponsored hackers. For example, organizations should review logs for IP addresses in foreign countries.
Incident Response: Strengthen the organization’s incident response plans and test the plan to ensure all key stakeholders understand their role in response; formalize an incident response team with a team leader to ensure swift coordinated responses to incidents.
Vendor Management: Develop standards and a process for assessing risk related to third parties that have access to the organization’s network, given that attacks often originate with third parties. Once the organization has assessed this vendor risk, it should develop controls across the organization to combat these risks.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.