A DHS and FBI joint technical alert describes cyber-enabled capabilities and actions related to the Russian Government compromising US-based networks and endpoints, as well as distributing malware, conducting spear phishing operations, and deploying network reconnaissance tools.
First Published 16th March 2018
Critical infrastructure - an attractive target for mass disruption.
4 min read | Reflare Research Team
The alert carries the title “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors” and code TA18-074A. Drawing on intelligence gathered by the FBI and DHS it alleges that Russian actors have been targeting US government networks as well as infrastructure in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors since early 2016.
It further alleges that the Russian government is the principal actor ordering these attacks.
The attacks described fall mostly into the category of social engineering with Spear Phishing and Watering Hole attacks providing access to critical infrastructure which is then exploited and extended using more technical attack strategies including custom malware installation.
The attack description is detailed and includes both timelines and signatures of used tools.
What is new?
This briefing is novel in two regards: It provides unusually detailed information and it openly alleges Russian governmental involvement.
Previous reports by US agencies on cyber attacks have tended to be relatively vague, outlining only general attack patterns and tools without delving into too much detail on timeframes, targets and tool specifics. The high level of detail in this alert is likely due to a combination of the department releasing it being highly technical and an attempt to counteract the weary responses that previous reports have generated. While we do not have the information required to objectively judge the veracity of the claims included in the alert, it does convey a more detailed picture of the alleged cyber attacks which will make its claims easier to verify or debunk in the future. This move toward transparency in turn implies that the US government feels confident that its allegations will stand up to scrutiny.
The direct accusations made against the Russian government in turn may signal a shift in the US government's stance regarding Russia in general. While previous reports identified specific threat actors (such as the infamous APT-28, aka “Fancybear”) and indirectly linked these actors to Russian government interests, the level of direct accusation against the Russian government is unusual for an official report. While individual US legislators have made similar accusations over the past two years, this additional layer of officiality indicates that the overall US government posture on the matter of foreign cyber security threats may begin to shift towards a more aggressive stance.
Summary
The alert released by US-CERT is unusual in both its level of detail and its directness. We interpret this as a sign that US government policy towards foreign cyber-threat actors may be shifting towards more offensiveness. This change would be consistent with the stance of other major governments over the past years, leading to a heightened risk environment overall. While we recommend everyone to follow good security practices, the current tensions make it especially important for individuals connected to governmental, military and core-industrial organizations to remain proactive and prepare their staff to identify and correctly act upon cyber attacks.