CISA Alert AA22-110A – Russian state-sponsored and criminal cyber threats to critical infrastructure.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One One Zero Alpha.

​​Original release date: April Twentieth, twenty twenty two.

The United States, Australia, Canada, New Zealand, and the United Kingdom are releasing this joint Cybersecurity Advisory with contributions from the Joint Cyber Defense Collaborative to warn organizations that Russia’s invasion of Ukraine could expose global organizations to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the US and its allies and partners.

Evolving intelligence indicates that the Russian government is exploring options for cyberattacks. Recent Russian state-sponsored cyber operations have included DDoS attacks and have demonstrated the ability to compromise IT networks; develop mechanisms to maintain persistence; exfiltrate sensitive data from IT and OT networks; and disrupt critical industrial control system functions by deploying destructive malware. 

Historical operations have included deploying destructive malware—including BlackEnergy and NotPetya —against the Ukrainian government and critical infrastructure.

Additionally, some cybercrime groups have pledged support for the Russian government. These Russian-aligned cybercriminals have threatened to conduct cyber operations in retaliation for perceived cyber operations against the Russian government or people. Some groups have threatened to conduct cyber operations against countries and organizations providing support to Ukraine.

The alert documentation linked in the show notes includes technical details and TTPs for these threat actors.

The US, Australian, Canadian, New Zealand, and UK authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats—including destructive malware, ransomware, DDoS attacks, and cyber espionage—by hardening their defenses and performing due diligence in identifying indicators of malicious activity. Organizations and defenders should refer to the Mitigations section of the alert linked in the show notes for recommended hardening actions.

For more information on Russian state-sponsored cyber activity and the threat to critical infrastructure, see CISA’s Russia Cyber Threat Overview and Advisories webpage and the other resources linked in the show notes.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.