US-CERT Releases Alert on Russian Activity
The alert carries the title “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors” and code TA18-074A. Drawing on intelligence gathered by the FBI and DHS it alleges that Russian actors have been targeting US governmental networks as well as infrastructure in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors since early 2016.
It further alleges that the Russian government is the principal actor ordering these attacks.
The attacks described fall mostly into the category of social engineering with Spear Phishing and Watering Hole attacks providing access to critical infrastructure which is then exploited and extended using more technical attack strategies including custom malware installation.
The attack description is detailed and includes both timelines and signatures of uses tools.
What is new?
The recent briefing is novel in two regards: It provides unusually detailed information and it openly alleges Russian governmental involvement.
Previous reports by US agencies on cyber attacks have tended to be relatively vague, outlining only general attack patterns and tools without delving into too much detail on timeframes, targets and tool specifics. The high level of detail in this alert is likely due to a combination of the department releasing it being highly technical and an attempt to counteract the weary responses that previous reports have generated. While we do not have the information required to objectively judge the veracity of the claims included in the alert, it does convey a more detailed picture of the alleged cyber attacks which will make its claims easier to verify or debunk in the future. This move toward transparency in turn implies that the US government feels confident that its allegations will stand up to scrutiny.
The direct accusations made against the Russian government in turn may signal a shift in the US government's stance regarding Russia in general. While previous reports identified specific threat actors (such as the infamous APT-28, aka “Fancybear”) and indirectly linked these actors to Russian government interests, the level of direct accusation against the Russian government is unusual for an official report. While individual US legislators have made similar accusations over the past two years, this additional layer of officiality indicates that the overall US government posture on the matter of foreign cyber security threats may begin to shift towards a more aggressive stance.
The alert released by US-CERT is unusual in both its level of detail and its directness. We interpret this as a sign that US governmental policy towards foreign cyber-threat actors may be shifting towards more offensiveness. This change would be consistent with the stance of other major governments over the past years, leading to a heightened risk environment overall. While we recommend everyone to follow good security practices, the current tensions make it especially important for individuals connected to governmental, military and core-industrial organizations to remain proactive and prepare their staff to identify and correctly act upon cyber attacks.