CISA Alert AA22-083A – TTPs of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Zero Eight Three Alpha.

​​Original release date: March 24, 2022.

This joint Cybersecurity Advisory provides information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted US and international Energy Sector organizations. CISA, the FBI, and DOE assess that state-sponsored Russian cyber operations continue to pose a threat to Energy Sector networks and are sharing this information in order to highlight TTPs used by adversaries to target Energy Sector organizations. They urge the Energy Sector and other critical infrastructure organizations to apply the recommendations listed in the Mitigations Section and Appendix Alpha of the alert documentation to reduce the risk of compromise. 

On March 24, 2022, the DOJ unsealed indictments of three Russian FSB officers and a Central Scientific Research Institute of Chemistry and Mechanics employee for their involvement in the following intrusion campaigns against US and international oil refineries, nuclear facilities, and energy companies.

Global Energy Sector Intrusion Campaign: From 2011 to 2018, the FSB conducted a multi-stage campaign in which they gained remote access to US and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data. One of the indicted FSB officers was involved in a campaign that deployed Havex malware to victim networks.

Compromise of an Energy Sector organization in the Middle East: In 2017, Russian cyber actors with ties to the Central Scientific Research Institute of Chemistry and Mechanics gained access to and leveraged TRITON malware, also known as HatMan, to manipulate a foreign oil refinery’s ICS controllers. TRITON was designed to target Schneider Electric’s Tricon safety systems and is capable of disrupting those systems. Schneider Electric has issued a patch to mitigate the risk of this attack vector. Network defenders should install the patch and remain vigilant against these threat actors’ TTPs.

The alert documentation linked in the show notes provides specific mitigation actions for both Enterprise IT and Industrial Control System environments. Appendix Alpha of the documentation maps the adversary TTPs to the MITRE ATT&CK for Enterprise and ATT&CK for ICS frameworks.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.