Team CryptoInsightfull 
BLUF: Bottom Line Up Front
I want to start this post with the most important thing right up top:
Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to [email protected] or (888) 282-0870.
Anyone who has seen one of my presentations recently knows that I am a huge cheerleader for CISA.gov, the Cybersecurity & Infrastructure Security Agency at DHS, which replaced the National Protection and Programs Directorate (NPPD) that previously led private sector engagement and interaction for DHS.
Previously, I’ve asked people to make sure someone in their organizations was watching four critical information sharing pages at CISA.
- https://www.cisa.gov/uscert/ncas/current-activity
- https://www.cisa.gov/uscert/ncas/alerts
- https://www.cisa.gov/uscert/ncas/bulletins
- https://www.cisa.gov/uscert/ncas/analysis-reports
I had already said publicly many times that they are doing a PHENOMENAL job of sharing information – unprecedented in my 22 years of working with the government on Critical Infrastructure Protection, from Ron Dick and the NIPC (National Infrastructure Protection Center), serving on the national boards of InfraGard and the Energy ISAC, and interacting with FS-ISAC (Financial Services), H-ISAC (Healthcare), and REN-ISAC (Research and Education). But now CISA (and the FBI) has taken Information Sharing to a whole new level.
- Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
- Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;
- Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
- Back up your data and ensure you have offline backups beyond the reach of malicious actors;
- Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
- Encrypt your data so it cannot be used if it is stolen;
- Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
- Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.
After this set of announcements, CISA.gov’s director, Jen Easterly, convened a meeting that was attended by more than 13,000 Critical Infrastructure stakeholders from all across the United States, including every sector and every size. A recording of the CISA CALL WITH CRITICAL INFRASTRUCTURE PARTNERS ON POTENTIAL RUSSIAN CYBER ATTACKS AGAINST THE UNITED STATES has been shared on their YouTube page!
During the call, which included FBI Deputy Assistant Director for Cyber, Tonya Ugoretz, and CISA Deputy Executive Assistant Director for Cyber, Matt Hartman, Director Easterly committed to push to have even more sensitive data released to the public if it would possibly help protect American Critical Infrastructure. And today, we see a great example of that!
Documentation of Two Historical Hacking Campaigns Against Critical Infrastructure
The FBI and the Department of Justice released the legal side, in the form of an extremely detailed press release about Russian hacking campaigns targeting Critical Infrastructure at hundreds of companies in 135 countries.
The Press Release was accompanied by two indictments:
Through the new transparency we are seeing, the full details of the indictment are now unsealed and we learn the attacks were conceived and executed from the Russian Ministry of Defense, Federal Service for Technical and Expert Control, in a lab known as the Applied Development Center, which was in turn part of TsNIIKhM, the State Research Center of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics.
Again, the new transparency shows us that these attacks, also known as Dragonfly, Havex, and Dragonfly 2.0, were supply chain attacks, where various ICS/SCADA system manufacturers had their software manipulated to include malicious backdoors which would be downloaded by unsuspecting customers. Through this campaign, at least 17,000 unique devices in the US and elsewhere were compromised, including ICS/SCADA controllers used by power and energy companies. In 2.0, malware was delivered via Spear-phishing attacks and Watering hole attacks targeting employees of such companies. At least 3,300 systems were compromised using this methodology as well.
Some of the groups attacked in this way included the Nuclear Regulatory Commission, WolfCreek Nuclear Operation Corporation in Burlington, Kansas, Westar Energy, in Topeka, Kansas, and the Kansas Electric Power Cooperative.
