10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
_Actions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber Posture.
• Patch all systems. Prioritize patching known exploited vulnerabilities._
• Implement multi-factor authentication.
• Use antivirus software.
• Develop internal contact lists and surge support.
Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 10. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats.
CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.
CISA, the FBI, and NSA encourage critical infrastructure organization leaders to review CISA Insights: Preparing for and Mitigating Cyber Threats for information on reducing cyber threats to their organization.
Click here for a PDF version of this report.
Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks. Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:
Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.
In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware. See the following advisories and alerts for information on historical Russian state-sponsored cyber-intrusion campaigns and customized malware that have targeted ICS:
Russian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors. High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal actions includes:
For more information on recent and historical Russian state-sponsored malicious cyber activity, see the referenced products below or cisa.gov/Russia.
Table 1 provides common, publicly known TTPs employed by Russian state-sponsored APT actors, which map to the MITRE ATT&CK for Enterprise framework, version 10. Note: these lists are not intended to be all inclusive. Russian state-sponsored actors have modified their TTPs before based on public reporting.[1] Therefore, CISA, the FBI, and NSA anticipate the Russian state-sponsored actors may modify their TTPs as they deem necessary to reduce their risk of detection.
Table 1: Common Tactics and Techniques Employed by Russian State-Sponsored APT Actors
Tactic | Technique | Procedure |
---|
Reconnaissance [TA0043]
|
Active Scanning: Vulnerability Scanning [T1595.002]
Russian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers.
Phishing for Information [T1598]
|
Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks.
Resource Development [TA0042]
|
Develop Capabilities: Malware [T1587.001]
|
Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware.
Initial Access [TA0001]
|
Exploit Public Facing Applications [T1190]
|
Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks.
Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
|
Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion.
Execution [TA0002]
|
Command and Scripting Interpreter: PowerShell [T1059.003] and Windows Command Shell [T1059.003]
|
Russian state-sponsored APT actors have used cmd.exe
to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands.
Persistence [TA0003]
|
Valid Accounts [T1078]
|
Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks.
Credential Access [TA0006]
|
Brute Force: Password Guessing [T1110.001] and Password Spraying [T1110.003]
|
Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns.
OS Credential Dumping: NTDS [T1003.003]
|
Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit
.
Steal or Forge Kerberos Tickets: Kerberoasting [T1558.003]
|
Russian state-sponsored APT actors have performed “Kerberoasting,” whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking.
Credentials from Password Stores [T1555]
|
Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords.
Exploitation for Credential Access [T1212]
|
Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability CVE-2020-1472 to obtain access to Windows Active Directory servers.
Unsecured Credentials: Private Keys [T1552.004]
|
Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates.
Command and Control [TA0011]
|
Proxy: Multi-hop Proxy [T1090.003]
|
Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.
For additional enterprise TTPs used by Russian state-sponsored APT actors, see the ATT&CK for Enterprise pages on APT29, APT28, and the Sandworm Team, respectively. For information on ICS TTPs see the ATT&CK for ICS pages on the Sandworm Team, BlackEnergy 3 malware, CrashOveride malware, BlackEnergy’s KillDisk component, and NotPetya malware.
Given Russian state-sponsored APT actors demonstrated capability to maintain persistent, long-term access in compromised enterprise and cloud environments, CISA, the FBI, and NSA encourage all critical infrastructure organizations to:
ntds.dit
file from a domain controller.Organizations detecting potential APT activity in their IT or OT networks should:
Note: for OT assets, organizations should have a resilience plan that addresses how to operate if you lose access to—or control of—the IT and/or OT environment. Refer to the Mitigations section for more information.
See the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA, the FBI, and NSA encourage critical infrastructure owners and operators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail each step for both incident and vulnerability response.
**Note:**organizations should document incident response procedures in a cyber incident response plan, which organizations should create and exercise (as noted in the Mitigations section).
CISA, the FBI, and NSA encourage all organizations to implement the following recommendations to increase their cyber resilience against this threat.
CISA, the FBI, and NSA recommend organizations apply the best practices below for identity and access management, protective controls and architecture, and vulnerability and configuration management.
Note: CISA, the FBI, and NSA also recommend, as a longer-term effort, that critical infrastructure organizations implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent lateral movement by controlling traffic flows between—and access to—various subnetworks.
If you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State’s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which DOS is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact +1-202-702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details refer to rewardsforjustice.net/malicious_cyber_activity.
The information you have accessed or received is being provided “as is” for informational purposes only. CISA, the FBI, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or NSA.
[1] Joint NCSC-CISA UK Advisory: Further TTPs Associated with SVR Cyber Actors
January 11, 2022: Initial Version|January 25, 2022: Updated broken link|February 28, 2022: Updated broken link
www.fbi.gov/contact-us/field
attack.mitre.org/versions/v10/groups/G0007
attack.mitre.org/versions/v10/groups/G0016
attack.mitre.org/versions/v10/groups/G0034
attack.mitre.org/versions/v10/software/S0089
attack.mitre.org/versions/v10/software/S0604
attack.mitre.org/versions/v10/tactics/TA0001/
attack.mitre.org/versions/v10/tactics/TA0002
attack.mitre.org/versions/v10/tactics/TA0003
attack.mitre.org/versions/v10/tactics/TA0006
attack.mitre.org/versions/v10/tactics/TA0011/
attack.mitre.org/versions/v10/tactics/TA0042/
attack.mitre.org/versions/v10/tactics/TA0043/
attack.mitre.org/versions/v10/techniques/T1003/003/
attack.mitre.org/versions/v10/techniques/T1059/003
attack.mitre.org/versions/v10/techniques/T1059/003
attack.mitre.org/versions/v10/techniques/T1078/
attack.mitre.org/versions/v10/techniques/T1090/003/
attack.mitre.org/versions/v10/techniques/T1110/001
attack.mitre.org/versions/v10/techniques/T1110/003
attack.mitre.org/versions/v10/techniques/T1190/
attack.mitre.org/versions/v10/techniques/T1195/002
attack.mitre.org/versions/v10/techniques/T1212
attack.mitre.org/versions/v10/techniques/T1552/004
attack.mitre.org/versions/v10/techniques/T1555
attack.mitre.org/versions/v10/techniques/T1558/003/
attack.mitre.org/versions/v10/techniques/T1587/001
attack.mitre.org/versions/v10/techniques/T1595/002/
attack.mitre.org/versions/v10/techniques/T1598
attack.mitre.org/versions/v9/techniques/enterprise/
cisa.gov/sites/default/files/publications/CISA_INSIGHTS-Preparing_For_and_Mitigating_Potential_Cyber_Threats-508C.pdf
cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf
collaborate.mitre.org/attackics/index.php/Group/G0007
collaborate.mitre.org/attackics/index.php/Main_Page
collaborate.mitre.org/attackics/index.php/software/S0001
collaborate.mitre.org/attackics/index.php/software/S0004
collaborate.mitre.org/attackics/index.php/software/S0006
collaborate.mitre.org/attackics/index.php/software/S0016
docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage
media.defense.gov/2021/jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
nvd.nist.gov/vuln/detail/CVE-2018-13379
nvd.nist.gov/vuln/detail/CVE-2019-10149
nvd.nist.gov/vuln/detail/CVE-2019-11510
nvd.nist.gov/vuln/detail/CVE-2019-1653
nvd.nist.gov/vuln/detail/CVE-2019-19781
nvd.nist.gov/vuln/detail/CVE-2019-2725
nvd.nist.gov/vuln/detail/CVE-2019-7609
nvd.nist.gov/vuln/detail/CVE-2019-9670
nvd.nist.gov/vuln/detail/CVE-2020-0688
nvd.nist.gov/vuln/detail/CVE-2020-1472
nvd.nist.gov/vuln/detail/CVE-2020-14882
nvd.nist.gov/vuln/detail/CVE-2020-4006
nvd.nist.gov/vuln/detail/CVE-2020-5902
nvd.nist.gov/vuln/detail/CVE-2021-26855
nvd.nist.gov/vuln/detail/CVE-2021-26857
nvd.nist.gov/vuln/detail/CVE-2021-26858
nvd.nist.gov/vuln/detail/CVE-2021-27065
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?qsp=CODE_RED
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Understanding%20and%20Mitigating%20Russian%20State-Sponsored%20Cyber%20Threats%20to%20U.S.%20Critical%20Infrastructure%20%20+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a
us-cert.cisa.gov/ics/advisories/ICSA-14-178-01
us-cert.cisa.gov/ics/advisories/ICSA-18-107-02
us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-281-01B
us-cert.cisa.gov/ics/alerts/IR-ALERT-H-16-056-01
us-cert.cisa.gov/ics/alerts/ir-alert-h-16-056-01
us-cert.cisa.gov/ics/MAR-17-352-01-HatMan-Safety-System-Targeted-Malware-Update-B
us-cert.cisa.gov/ncas/alerts/aa20-245a
us-cert.cisa.gov/ncas/alerts/aa21-008a
us-cert.cisa.gov/ncas/alerts/aa21-116a
us-cert.cisa.gov/ncas/alerts/aa21-243a
us-cert.cisa.gov/ncas/alerts/TA17-163A
us-cert.cisa.gov/ncas/alerts/TA18-074A
us-cert.cisa.gov/ncas/analysis-reports/ar21-013a
us-cert.cisa.gov/ncas/tips/ST05-012
us-cert.cisa.gov/remediating-apt-compromised-networks
www.cisa.gov/cyber-essentials
www.cisa.gov/cyber-hygiene-services
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/uscert/mailing-lists-and-feeds
www.cisa.gov/uscert/ncas/alerts/aa20-283a
www.cisa.gov/uscert/ncas/alerts/aa20-296a
www.cisa.gov/uscert/report
www.cisa.gov/uscert/russia
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a&title=Understanding%20and%20Mitigating%20Russian%20State-Sponsored%20Cyber%20Threats%20to%20U.S.%20Critical%20Infrastructure%20%20
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a
www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors
www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors
www.oig.dhs.gov/
www.rewardsforjustice.net/malicious_cyber_activity.html
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a
www.us-cert.cisa.gov/ncas/tips/ST04-002
www.us-cert.cisa.gov/russia
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Understanding%20and%20Mitigating%20Russian%20State-Sponsored%20Cyber%20Threats%20to%20U.S.%20Critical%20Infrastructure%20%20&body=www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%