Russia’s Invasion of Ukraine and the New Era of CISA/FBI Transparency


BLUF: lower result at the front

I want to start this article with the most important thing at the top:

THE the page begins with this statement. PLEASE take this seriously and report it to your management:
“Russia’s invasion of Ukraine could impact organizations inside and outside the region, including malicious cyber activity against the American homeland, particularly in response to the unprecedented economic costs imposed on Russia by the United States and our allies and partners. Intelligence developments indicate that the Russian government is exploring options in the event of potential cyberattacks. Every organization, large and small, must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA is prepared to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported promptly, we may use this information to provide assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.

Organizations must report any abnormal cyber activity and/or cyber incidents 24 hours a day, 7 days a week to Or (888) 282-0870.

Anyone who has seen one of my presentations recently knows that I am a strong supporter of, the DHS Cybersecurity and Infrastructure Security Agency, which replaced the National Protection and Programs Directorate (NPPD) who previously led private sector engagement and interaction for DHS.

Previously, I asked people to make sure someone in their organization monitored four critical information sharing pages at CISA.


I had already said publicly several times that they were doing a PHENOMENAL job of sharing information – unparalleled in my 22 years of working with the government on critical infrastructure protection, from Ron Dick and the NIPC (National Infrastructure Protection Center), sitting at national level. boards of directors of InfraGard and Energy ISAC, and interacting with FS-ISAC (Financial Services), H-ISAC (Healthcare) and REN-ISAC (Research and Education). But now CISA (and the FBI) ​​have taken information sharing to a whole new level.

  • Force the use of multi-factor authentication on your systems to make it more difficult for attackers to access your system;
  • Deploy modern security tools on your computers and devices to continually scan for and mitigate threats;
  • Check with your cybersecurity professionals to ensure your systems are patched and protected against all known vulnerabilities, and change passwords on your networks so that previously stolen credentials are useless to malicious actors;
  • Back up your data and make sure you have offline backups out of reach of bad actors;
  • Conduct exercises and review your contingency plans so you are ready to respond quickly to minimize the impact of any attack;
  • Encrypt your data so that it cannot be used if stolen;
  • Educate your employees on common tactics attackers will use via email or websites, and encourage them to report if their computers or phones have exhibited unusual behavior, such as unusual crashes or very slow operation; And
  • Proactively engage with your local FBI office or regional CISA office to build relationships in advance of any cyber incident. Please encourage your IT and security managers to visit the websites of LPCC and the FBI where they will find technical information and other useful resources.

Following this series of announcements, Director Jen Easterly convened a meeting attended by more than 13,000 critical infrastructure stakeholders from across the United States, of all sectors and sizes. A recording of CISA CALL WITH CRITICAL INFRASTRUCTURE PARTNERS ON POTENTIAL RUSSIAN CYBER ATTACKS AGAINST THE UNITED STATES was shared on their YouTube page!

During the call, which included FBI Deputy Assistant Director for Cybersecurity Tonya Ugoretz and CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman, Director Easterly pledged to push for even more sensitive data be made public if it will help protect the United States. Critical infrastructure. And today we see a great example of this!

Documenting two historic hacking campaigns against critical infrastructure

The FBI and Department of Justice released the legal part, in the form of an extremely detailed press release on Russian hacking campaigns targeting the critical infrastructure of hundreds of companies in 135 countries.

The press release was accompanied by two indictments:

Thanks to the new transparency we are witnessing, all the details of the indictment are now revealed and we learn that the attacks were designed and executed by the Russian Ministry of Defense, Federal Technical Control and Expert Service, in a laboratory known as the Center for Applied Development. , which in turn was part of TsNIIKhM, the State Research Center of the Central Scientific Research Institute of Chemistry and Mechanics of the Russian Federation.

The second indictment, “United States v. Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov“, (36-page indictment) targets members of “military unit 71330” of the Federal Security Service (FSB), also known as “Center 16”. The members of this laboratory are better known under their flamboyant APT designations: Dragonfly, Berzerk. Bear, Energetic Bear, and Crouching Yeti. This indictment specifically concerns their 2017 attacks that attempted to target and compromise critical infrastructure and energy companies around the world, including the United States in general and Kansas in particular (the indictment’s headquarters).

Once again, the new transparency shows us that these attacks, also known as Dragonfly, Havex and Dragonfly 2.0, were supply chain attacks, where various ICS/SCADA system manufacturers had their software manipulated to include malicious backdoors that would be downloaded by unsuspecting customers. Through this campaign, at least 17,000 unique devices in the United States and elsewhere were compromised, including ICS/SCADA controllers used by power and energy companies. In version 2.0, malware was distributed via spear phishing attacks and watering hole attacks targeting employees of these companies. At least 3,300 systems were also compromised using this methodology.

Among the groups attacked in this manner were the Nuclear Regulatory Commission, the WolfCreek Nuclear Operation Corporation in Burlington, Kansas, Westar Energy in Topeka, Kansas, and the Kansas Electric Power Cooperative.

Leave a comment