NCCIC report discussing Russian cyberattacks on critical infrastructure in the US and other countries
NCCIC report discussing Russian cyberattacks on critical infrastructure in the US and other countries

The DHS/FBI released a report yesterday, in which they said Russians launched attacks on “critical infrastructure entities” in the US and “conducted damaging and/or disruptive cyber-attacks” on critical infrastructure networks in other countries using BlackEnergy and other malware.

Entitled “GRIZZLY STEPPE – Russian Malicious Cyber Activity” (JAR-16-20296), the report was published in conjunction with financial sanctions and ejections imposed on Russian intelligence operatives and private companies that supported the hacking operations.

President Obama said that “all Americans should be alarmed by Russia’s actions.” According to the Washington Post, “the sanctions and expulsions announced Thursday were the most far-reaching U.S. response to Russian activities since the end of the Cold War, and the most specific related to Russian hacking.”

The DHS/FBI also released a long list of malicious C&C servers and file hashes of known malware used in the hacking operations.

Fancy Bear & Cozy Bear

According to the DHS/FBI report, the GRIZZLY STEPPE operation is tied to the:

  • GRU: Russia’s military intelligence service, aka APT28 or Fancy Bear
  • FSB: Russia’s internal security service (formerly the KGB), aka APT29 or Cozy Bear

The report names other groups tied to Russian Military and Civilian Intelligence Services (RIS), including many well-known to the critical infrastructure community such as Dragonfly, Energetic Bear, and Sandworm. It also lists familiar industrial malware platforms including BlackEnergy V3, BlackEnergy2 APT and Havex.

glen-cove-ny-estate-previously-ccupied-by-russian-diplomats
Russian intelligence compound in Glen Cove, NY that was shut down yesterday by Washington

According to the report, the operation is “part of an ongoing campaign” by Russian civilian and military intelligence Services (RIS) “of cyber-enabled operations directed at the U.S. government and its citizens.”

With respect to public attribution, the report states that its information “is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities.”

Russia: Cyber Blurs Lines Between War & Peace

Russia’s recent maneuvers in cyberspace highlight a major shift that has occurred in relations between nation-states.

In 2013, Gen. Valery V. Gerasimov published what became known as the Gerasimov Doctrine, which said that the lines between war and peace had blurred and that covert tactics like cyberwarfare would become more important. He called it “nonlinear war.”

We now see that this doctrine was first implemented with Russian operations in the eastern Ukraine and Crimea during 2014.

The recent DNC hacks in the US – plus reports that Russians attacked Ukrainian artillery equipment with a hacked Android app – make it very clear that we’ve now entered a new era of geo-political conflict in which cyberwarfare has become a primary component.

DHS/FBI Recommended Mitigations

The report provides a detailed list of cybersecurity best practices intended primarily for IT networks – but equally applicable to OT networks and ICS/SCADA security. These include performing ongoing vulnerability assessments, monitoring all transactions for suspicious activity, auditing firewall rules, and patching known vulnerabilities, among others.

Front page of Military-Industrial Kurier, February 27, 2013, where the Gerasimov doctrine first appeared

Click here to request an automated ICS vulnerability assessment from CyberX.