Alert (AA22-110A) – How to Deal with russian APT

Already at the beginning of February, the Polish Government Security Center warns services and public administration, so that they are vigilant against cyber threats from Russia. Given the arsenal of software used against by Russia against Ukraine among the years (which we described in our series of articles) and invasion on Ukraine at the end of February – the warning was more than valid.

We have April 20… 5 eye country cybersecurity authorities: US, Austria, Canada, New Zealand and UK publish quite a few updated IT security briefings.

Reason? Intelligence data shows that the Russian government is investigating possibilities for cyberattacks on US and EU (see U.S. President Biden’s March 21, 2022 statement for more information). Some cybercriminal groups have publicly pledged support to the Russian government. These kremlin-linked cybercriminal groups have threatened to launch malicious cyber operations in retaliation for alleged cyber attacks against the Russian government or the Russian people. Some groups also threat to launch those operations against countries providing material support for Ukraine.

The published materials concern protection against the state-sponsored Russian APT, their code of conduct, techniques, tactics and procedures – TTP. They are designed to help provide cybersecurity support to protect against cyber threats originating from them.

Below the list of key resources:

• Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

• Cybersecurity and Infrastructure Security Agency (CISA) Shields Up and Shields Up Technical Guidance

• Australian Cyber Security Center (ACSC) – Australian Organisations Should Urgently Adopt an Enhanced Cyber Security Posture.

• Canadian Centre for Cyber ​​Security (CCCS) – Cyber Centre urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity

• New Zealand National Cyber Security Center (NZ NCSC) – Understanding and preparing for cyber threats relating to tensions between Russia and Ukraine

• Guidance by UK National Cyber Security Center (NCSC-UK) – guidance & bolster cyber defences

The reports contain both general organizational guidelines and specific technical risk mitigation measures. For example, below is a list of the most frequently used vulnerabilities by Russian APT:

• CVE-2018-13379 FortiGate VPNs

• CVE-2019-1653 Cisco router

• CVE-2019-2725 Oracle WebLogic Server

• CVE-2019-7609 Kibana

• CVE-2019-9670 Zimbra software

• CVE-2019-10149 Exim Simple Mail Transfer Protocol

• CVE-2019-11510 Pulse Secure

• CVE-2019-19781 Citrix

• CVE-2020-0688 Microsoft Exchange

• CVE-2020-4006 VMWare (note: this was a zero-day at time.)

• CVE-2020-5902 F5 Big-IP

• CVE-2020-14882 Oracle WebLogic

• CVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

The above information activities are a response to the unprecedented economic costs imposed on Russia with sanctions and help towards Ukraine’s allies who provide active support, which may result in cyber attacks by Russia. In Poland, there is a reason why the third level of alert – CHARLIE – has been in force since February 24. Sharing knowledge on this subject is not only good practice – it is also a duty. Please contact us if you are interested in detailed guidelines.