CISA, FBI, DOE issue cybersecurity advisory on Russian attacks against global energy sector

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) have issued a joint cybersecurity advisory (CSA) on two intrusion campaigns conducted by state-sponsored Russian cyber actors against U.S. and international energy sector organizations. The CSA stated that the attacks occurred between 2011 and 2018 and highlighted the historical tactics, techniques, and procedures (TTPs) used by adversaries. It also warned of the ongoing threat posed by state-sponsored Russian cyber operations to U.S. energy sector networks and set out best practices for securing industrial control systems (ICS) with mitigations intended to harden corporate enterprise networks.

U.S. DoJ indicts four Russian government employees over historical hacking campaigns

On March 24 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) employee for their involvement in intrusion campaigns against international oil refineries, nuclear facilities, and energy companies.

The first was a multi-stage campaign conducted by the FSB in which they gained remote access to U.S. and international energy sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data, the CSA said. “One of the indicted FSB officers was involved in campaign activity that involved deploying Havex malware to victim networks. The other two indicted FSB officers were involved in activity targeting U.S. energy sector networks from 2016 through 2018,” it continued.

The second was the compromise of a Middle East-based energy sector organization with TRITON Malware in 2017. “Russian cyber actors with ties to the TsNIIKhM gained access to and leveraged TRITON (also known as HatMan) malware to manipulate a foreign oil refinery’s ICS controllers. TRITON was designed to target Schneider Electric’s Triconex Tricon safety systems and is capable of disrupting those systems. Schneider Electric has issued a patch to mitigate the risk of the TRITON malware’s attack vector. However, network defenders should install the patch and remain vigilant against these threat actors’ TTPs.”

The indicted TsNIIKhM cyber actor has been charged with an attempt to access U.S. protected computer networks and cause damage to an energy facility. He was a co-conspirator in the deployment of the TRITON malware in 2017, the CSA stated.

State-sponsored Russian cyber operations remain a threat to U.S. energy sector networks

CISA, the FBI and DOE assessed that state-sponsored Russian cyber operations continue to pose a threat to U.S. energy sector networks and urged critical infrastructure organizations to apply recommendations to reduce the risk of compromise. “These mitigations are tailored to combat multiple enterprise techniques observed in these campaigns,” the advisory added. The recommendations provided were:

• Privileged account management: Manage the creation of, modification of, use of – and permissions associated with – privileged accounts, including system and root.
• Password policies: Set and enforce secure password policies for accounts.
• Disable or remove features or programs: Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
• Audit: Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc., to identify potential weaknesses.
• Operating system configuration: Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.
• Multi-factor authentication (MFA): Enforce MFA by requiring users to provide two or more pieces of information (such as username and password plus a token, e.g., a physical smart card or token generator) to authenticate to a system.
• Filter network traffic: Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
• Network segmentation: Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a demilitarized zone (DMZ) to contain any internet-facing services that should not be exposed from the internal network.
• Limit access to resources over the network: Prevent access to file shares, remote access to systems, and unnecessary services. Mechanisms to limit access may include use of network concentrators, Remote Desktop Protocol (RDP) gateways, etc.
• Execution prevention: Block execution of code on a system through application control, or script blocking.

The advisory also recommend organizations implement robust network segmentation, virtual local area networks (VLANs), and perimeter security to harden their ICS/OT environments. Updating software, testing patches, using application allow lists, replacing end-of-life software and hardware devices, disabling unused ports and services, configuring encryption and security for network protocols, and maintaining an asset inventory of all hardware, software, and infrastructure technologies were among other best practice recommendations for securing ICS.