Start your day with intelligence. Get The OODA Daily Pulse.

Five Eyes Release Joint Cybersecurity Advisory: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

Once again, we assume most US-CERT Cybersecurity Alerts are crossing the desk of our membership in a timely manner. Still, we have made the editorial/curatorial choice to err towards caution and create standalone OODA Loop posts for the unprecedented type of Joint Cybersecurity Advisory(CSA) which are currently in release (due to the heightened threat of a domestic U.S. cyber attack due to the conflict with Russia in Ukraine).

Overall, as OODA CTO Bob Gourley recently pointed out:  “We are so pleased with the quality of work and the professionalism in recent reporting from our government agencies on the nature of the cyber threat.  In particular, the Joint Cybersecurity Advisory (CSA) released yesterday is one of the best.”

The Joint CSA to which Bob refers was released by eight cybersecurity organizations from within the Five Eyes nation’s intelligence agencies – which, to date, is unprecedented.  The Five Eyes intelligence organizations have released joint advisories in the past, but never has a joint CSA been “coauthored by U.S., Australian, Canadian, New Zealand, and UK cyber authorities with contributions from industry members of the CISA Joint Cyber Defense Collaborative (JCDC).”

US-CERT Alert (AA22-110A):  Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

From the Alert:

The cybersecurity authorities of the United States[1][2][3], Australia[4], Canada[5], New Zealand[6], and the United Kingdom[7][8] are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.

Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information). Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations.

Additionally, some cybercrime groups have recently publicly pledged support for the Russian government. These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people. Some groups have also threatened to conduct cyber operations against countries and organizations providing materiel support to Ukraine. Other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive.

This advisory updates joint CSA Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, which provides an overview of Russian state-sponsored cyber operations and commonly observed tactics, techniques, and procedures (TTPs). This CSA—coauthored by U.S., Australian, Canadian, New Zealand, and UK cyber authorities with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC)—provides an overview of Russian state-sponsored advanced persistent threat (APT) groups, Russian-aligned cyber threat groups, and Russian-aligned cybercrime groups to help the cybersecurity community protect against possible cyber threats.

U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats—including destructive malware, ransomware, DDoS attacks, and cyber espionage—by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity. Refer to the Mitigations section of this advisory for recommended hardening actions.

For more information on Russian state-sponsored cyber activity, see CISA’s Russia Cyber Threat Overview and Advisories webpage. For more information on the heightened cyber threat to critical infrastructure organizations, see the following resources:

Click here for a PDF version of this report.

Technical Details

In our experience, the Google Cybersecurity Action Team and their Cloud Threat Intel Report and Microsoft Security provide some of the best in class reportage of APTs and known, “named” state-sponsored and criminal cyber threats.  This Joint CSA is on par with any of these private-sector efforts to date – which represents a sea change in direct reportage of the technical details by government agencies in the form of a joint CSA.

We would not do the technical details section of this document justice by simply cutting and copying it into the body of this post.  We encourage all cybersecurity professionals to spend some time with these technical details:  Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure.  The references section of the document (with hyperlinks) is also impressive.

Consistent with Bob’s praise of recent government agency efforts to address the serious nature of and severity of the threat at hand, it is clear that the CISA JCDC collaboration is yielding positive results and has created a more transparent communication style RE: the release of specific threat information (which would have probably stayed classified without the influence of private sector modes of crisis communication and management style now clearly in the mix).  We applaud these efforts and want to acknowledge and validate the effectiveness of the public-facing outcomes in the form of this CSA.

OODA Recommendations

In the current climate created by the viable threat of a Russian cyberattack on the U.S., if you are preparing your organization or your individual household to mitigate risk please see OODA CTO Bob Gourley’s Guide For Business: Final checks for reducing risks in the face of nation-state cyber-attacks based on White House advisory.  In the post, Bob itemizes OODA recommendations for:

  • Large Businesses/Large Federal Government Agencies
  • Small To Mid-Sized Businesses/State and Local Governments;  and
  • Individuals

Bob’s most recent post is also prescriptive:  Four Urgent Actions For The C-Suite To Prepare For High End Cyberattacks

OODA is here to help.  OODA members can contact us by replying to any of our emails or using this form.

Further OODA Loop Resources

TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

Industroyer2 and Pipedream ICS/SCADA Malware: DOE, CISA, NSA, and the FBI Release Joint Cybersecurity Advisory

The CISA Shields Up! Initiative

Preparing for Cyber Attacks: The CISA Online Resource Hub

CISA, FBI Issue Joint Cybersecurity Advisory for SATCOM Ecosystem Following Viasat Cyberattack

The FBI Cyber Division, NSA, Australian Cyber Security Centre, and the UK’s NCSC Issue Joint CSA on Global Ransomware Activity

CISA Insights Bulletin Urges U.S. Preparation for Data Wiping Attacks

Log4Shell Update from CISA Director Easterly and DHS CISA JCDC Company Updates

C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine

CISA Apache Log4j Vulnerability Guidance Webpage Up and Running with Mitigation Guidance from JCDC Partners

A Call to Action from CISA’s Jen Easterly and Def Con’s Jeff Moss at Inaugural CISA Advisory Committee Mtg.

At Black Hat 2021, CISA Director Jen Easterly launches CISA JCDC (Joint Cyber Defense Collaborative)

Stay Informed

It should go without saying that tracking threats are critical to inform your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.