Chris Swagler | March 2nd, 2022

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory providing an assessment overview of the Russian government’s malicious cyber activities. The publicly available overview provides open-source intelligence and information about the threats.

The motives behind the Russian government’s malicious cyber activities are to enable broad-scale cyber espionage, suppress certain social and political activity, steal intellectual property, and harm regional and international adversaries. According to CISA and other unclassified sources, recent advisories reveal that Russian state-sponsored threat actors are targeting the following industries and organizations in the United States and other Western nations: COVID-19 research, governments, elections organizations, healthcare and pharmaceutical, defense, energy, video gaming, nuclear, commercial facilities, water, aviation, and critical manufacturing. Russian actors were further linked to numerous high-profile malicious cyber activities, including the compromise of the SolarWinds software supply chain, targeting U.S. companies developing COVID-19 vaccines, targeting U.S. industrial control system infrastructure, the NotPetya ransomware attack on worldwide organizations, and leaking stolen documents from the U.S. Democratic National Committee.

The U.S. Office of the Director of National Intelligence’s 2021 Annual Threat Assessment reveals that Russia continues to target critical infrastructure, including underwater cables and industrial control systems, in the United States and in allied and partner countries to damage infrastructure and related response during a crisis. According to the assessment, Russia almost certainly considers cyberattacks an acceptable option to deter adversaries, control escalation, and prosecute conflicts. CISA, the National Cyber Security Centre of the United Kingdom (NCSC-UK), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory that a threat actor known as Sandworm or Voodoo Bear is using a new malware known as Cyclops Blink. Cyclops Blink appears as a replacement framework for the VPNFilter malware that exploited network devices, primarily small and home office routers and network-attached storage devices.

According to the NCSC, CISA, and the FBI, the Sandworm actor was previously linked to the Russian General Staff Main Intelligence Directorate’s Russian (GRU’s) Main Centre for Special Technologies (GTsST). The agencies observed Russian state-sponsored cyber actors targeting U.S. cleared defense contractors (CDCs) on a regular basis. With various levels of cybersecurity protocols and resources, the actors have targeted both large and small CDCs and subcontractors. Another advisory provides details about how the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) targeted and exploited hundreds of U.S. and foreign organizations and private sector victim networks, accessing credentials, moving laterally, and collecting and exfiltrating data.

Joint Advisories provided details on Russian SVR activities related to the SolarWinds Orion compromise, including using vulnerabilities to breach U.S. and Allied networks and using malware on victim networks targeting cloud resources to obtain information. Another advisory reveals that APT actors exploited multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability using a tactic known as vulnerability chaining, which exploits multiple vulnerabilities in a single intrusion compromising a network or application. A Joint Technical Alert provided information on Russian state-sponsored threat actors exploiting network infrastructure devices worldwide targeting government and private-sector organizations, critical infrastructure providers, and internet service providing support for the sectors.

With the recent events involving Russia invading Ukraine and launching malicious cyber activities against various organizations in the United States and other Western nations, it’s more critical for companies to remain on top of the current threat landscape and keep their data network security software updated to prevent potential breaches. At SpearTip, we specialize in incident response and handling breaches with one of the fastest response times in the industry. Our certified engineers are continuously working 24/7/365 at our Security Operations Center monitoring companies’ data networks for potential threats, including ransomware. Being proactive, especially with the current situation, is the best way to remain ahead of current threats. SpearTip’s ShadowSpear, our endpoint detection and response platform, is a great proactive tool that optimizes visibility and can be integrated with any cloud, network, and endpoint providing an extra layer of cybersecurity.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.