At a glance.
- More from CISA on Holiday Bear’s tactics.
- Efforts towards securing the US power grid.
More from CISA on Holiday Bear’s tactics.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert with the FBI and Department of Homeland Security warning Government agencies, infotech firms, and think tanks that Cozy Bear is still on the prowl for intelligence. The alert outlines the technical details of the APT’s methods, including its 2018 shift to targeting cloud vulnerabilities. Homeland Security Today notes that the advisory urges mitigation.
Nextgov breaks down the threat actor’s methods, which encompass password spraying, WELLMESS malware, and zero-days. BankInfo Security quotes industry observers who praise the new effort towards intelligence sharing while calling for more specific remediation information.
ClearanceJobs recalls that last week’s CISA alert addressed the Pulse Connect Secure threat vector, and that the chief targets there were US, Asian, and European defense and aerospace firms. Dark Reading adds that the advisory published the week prior described Russia’s use of five known vulnerabilities, noting that when alerts are too frequent, they can become a “distraction” for cybersecurity teams. The most recent warning encouraged the following fixes:
- Multifactor authentication
- Strong passwords
- Routine audits of settings and permissions
- Administrative access restrictions
- Network scanning
- Endpoint protection
- Log file auditing
- Behavioral monitoring
- PowerShell sweeps
Efforts towards securing the US power grid.
FCW says the National Risk Management Act would direct CISA to assess critical infrastructure risks every five years and require the President to develop a national “resilience strategy” in response.
Meanwhile, the Department of Energy cancelled its 2020 Prohibition Order Securing Critical Defense Facilities, JD Supra reports, and published a Request for Information (RFI) on Ensuring the Continued Security of the United States Critical Electric Infrastructure while inaugurating the sector’s one hundred day cybersecurity initiative. The RFI will help Energy weigh “whether and how to advance the Biden-Harris administration’s electric system security priorities.”
The moves come in response to the Biden Administration’s Executive Order (EO) 13990, which temporarily suspended President Trump’s EO 13920 and tasked Energy with evaluating whether a revised EO would be preferable. EO 13920 allowed the Department for one year to block risky foreign bulk-power system equipment in response to backdooring discovered in a made-in-China transformer, as Control Global recounts. Energy’s Prohibition Order applied that authority to China-linked gear serving Critical Defense Facilities (CDFs), defense-critical facilities vulnerable to supply disruptions.
Energy’s Revocation Order recognizes the ongoing threat to the sector from APTs, and lays the groundwork for future risk management measures. The RFI invites stakeholder perspectives on how to harmonize “national security, economic, and administrability considerations.” More specifically, the Department would like input on formulating a comprehensive security plan covering procurement, manufacturing, and equipment testing best practices; addressing possible compromises in existing gear; and expanding protections to distribution facilities supplying CDFs and infrastructure connected to critical services like healthcare and transportation.
Responses are due in June, and the industry plans to “remain vigilant” in the interim. Energy’s one hundred day cyber initiative will, for example, as we’ve seen, target industrial control system and supply chain security. Global Control reminds us of the stakes: New York City relies on Chinese transformers for ten percent of its power supply. A total of over two hundred large Chinese transformers support the US grid, in addition to untold numbers of valves, pumps, relays, and motors.