BLUF: lower result at the front
I want to start this article with the most important thing at the top:
Organizations must report any abnormal cyber activity and/or cyber incidents 24 hours a day, 7 days a week to rapport@cisa.gov Or (888) 282-0870.
Anyone who has seen one of my presentations recently knows that I am a strong supporter of CISA.gov, the DHS Cybersecurity and Infrastructure Security Agency, which replaced the National Protection and Programs Directorate (NPPD) who previously led private sector engagement and interaction for DHS.
Previously, I asked people to make sure someone in their organization monitored four critical information sharing pages at CISA.
- https://www.cisa.gov/uscert/ncas/current-activity
- https://www.cisa.gov/uscert/ncas/alerts
- https://www.cisa.gov/uscert/ncas/bulletins
- https://www.cisa.gov/uscert/ncas/analysis-reports
I had already said publicly several times that they were doing a PHENOMENAL job of sharing information – unparalleled in my 22 years of working with the government on critical infrastructure protection, from Ron Dick and the NIPC (National Infrastructure Protection Center), sitting at national level. boards of directors of InfraGard and Energy ISAC, and interacting with FS-ISAC (Financial Services), H-ISAC (Healthcare) and REN-ISAC (Research and Education). But now CISA (and the FBI) have taken information sharing to a whole new level.
- Force the use of multi-factor authentication on your systems to make it more difficult for attackers to access your system;
- Deploy modern security tools on your computers and devices to continually scan for and mitigate threats;
- Check with your cybersecurity professionals to ensure your systems are patched and protected against all known vulnerabilities, and change passwords on your networks so that previously stolen credentials are useless to malicious actors;
- Back up your data and make sure you have offline backups out of reach of bad actors;
- Conduct exercises and review your contingency plans so you are ready to respond quickly to minimize the impact of any attack;
- Encrypt your data so that it cannot be used if stolen;
- Educate your employees on common tactics attackers will use via email or websites, and encourage them to report if their computers or phones have exhibited unusual behavior, such as unusual crashes or very slow operation; And
- Proactively engage with your local FBI office or regional CISA office to build relationships in advance of any cyber incident. Please encourage your IT and security managers to visit the websites of LPCC and the FBI where they will find technical information and other useful resources.
Following this series of announcements, CISA.gov Director Jen Easterly convened a meeting attended by more than 13,000 critical infrastructure stakeholders from across the United States, of all sectors and sizes. A recording of CISA CALL WITH CRITICAL INFRASTRUCTURE PARTNERS ON POTENTIAL RUSSIAN CYBER ATTACKS AGAINST THE UNITED STATES was shared on their YouTube page!
During the call, which included FBI Deputy Assistant Director for Cybersecurity Tonya Ugoretz and CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman, Director Easterly pledged to push for even more sensitive data be made public if it will help protect the United States. Critical infrastructure. And today we see a great example of this!
Documenting two historic hacking campaigns against critical infrastructure
The FBI and Department of Justice released the legal part, in the form of an extremely detailed press release on Russian hacking campaigns targeting the critical infrastructure of hundreds of companies in 135 countries.
The press release was accompanied by two indictments:
Thanks to the new transparency we are witnessing, all the details of the indictment are now revealed and we learn that the attacks were designed and executed by the Russian Ministry of Defense, Federal Technical Control and Expert Service, in a laboratory known as the Center for Applied Development. , which in turn was part of TsNIIKhM, the State Research Center of the Central Scientific Research Institute of Chemistry and Mechanics of the Russian Federation.
Once again, the new transparency shows us that these attacks, also known as Dragonfly, Havex and Dragonfly 2.0, were supply chain attacks, where various ICS/SCADA system manufacturers had their software manipulated to include malicious backdoors that would be downloaded by unsuspecting customers. Through this campaign, at least 17,000 unique devices in the United States and elsewhere were compromised, including ICS/SCADA controllers used by power and energy companies. In version 2.0, malware was distributed via spear phishing attacks and watering hole attacks targeting employees of these companies. At least 3,300 systems were also compromised using this methodology.
Among the groups attacked in this manner were the Nuclear Regulatory Commission, the WolfCreek Nuclear Operation Corporation in Burlington, Kansas, Westar Energy in Topeka, Kansas, and the Kansas Electric Power Cooperative.