NCSC sounds alarm over Russia-backed hacks

The UK’s National Cyber Security Centre (NCSC) has joined key international partners in warning operators of critical national infrastructure (CNI) – such as telecoms networks, energy suppliers and utilities, transport operators, and logistics and distribution specialists, to be on their guard against intrusions into their systems originating from malicious actors linked to the Russian state.

This comes hot on the heels of a joint advisory published by the NCSC’s US counterpart, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, which urged CNI operators to “adopt a heightened state of awareness and to conduct proactive threat hunting”. CNI security has been a hot topic for some time, but came to prominence in the US after the May 2021 ransomware hit on Colonial Pipeline.

The NCSC urged UK-based CNI operators to take immediate action to strengthen their cyber security posture, including patching all systems, giving priority to known exploited vulnerabilities and zero-days; implementing multi-factor authentication; and deploying antivirus software.

The UK authorities are also recommending organisations follow the additional advice set out by the Americans, who also listed 13 high-profile vulnerabilities known to be popular among Russia-based threat groups to gain initial access to their targets – in addition to techniques such as spear phishing and brute force attacks.

The list of 13 common vulnerabilities and exposures (CVEs) is as follows:

• CVE-2018-13379 in FortiGate VPNs;
• CVE-2019-1653 in Cisco routers;
• CVE-2019-2725 in Oracle WebLogic Server;
• CVE-2019-7609 in Kibana;
• CVE-2019-9670 in Zimbra software;
• CVE-2019-10149 in Exim Simple Mail Transfer Protocol;
• CVE-2019-11510 in Pulse Secure;
• CVE-2019-19781 in Citrix;
• CVE-2020-0688 in Microsoft Exchange;
• CVE-2020-4006 in VMware;
• CVE-2020-5902 in F5 Big-IP;
• CVE-2020-14882 in Oracle WebLogic;
• And CVE-2021-26855 in Microsoft Exchange, which is frequently chained with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

Neither the American nor British authorities have disclosed any specific intelligence related to any ongoing Russian state-backed cyber campaigns at this time, which is not to say such intelligence does not exist.

Tripwire strategy vice-president Tim Erlin said: “It’s important to remind ourselves that critical infrastructure is more than just a phrase. It describes a vast cross-section of infrastructure on which we rely. Critical infrastructure really is critical.

“This alert not only contains information about the threat, but real, actionable information that organisations can use to defend themselves,” he said. “The use of the MITRE ATT&CK framework to identify the malicious activity, and to map to valid mitigation actions, is highly valuable.

“This alert is focused on a specific set of threats and actions to identify and respond to those threats,” said Erlin. “Organisations should also review their preventive controls against the tools and techniques described in this alert. Identifying the attack in progress is important, but preventing the attack from being successful at all is better.”

Tim Helming, security evangelist at DomainTools, agreed the wider CISA advisory contained good guidance, although he noted little of it would be news to on-the-ball security teams.

“Many in the critical infrastructure community take an ‘assume breach’ posture already, based on what we know about the capabilities of these actors,” said Helming.

“Procedures and tools to improve asset visibility and vulnerability management, identity and access management, log management, ingress and egress filtering, anomaly detection, and behavioural analytics are all recognised as fundamental necessities, and it’s safe to say they are being actively improved, to a greater or lesser extent, in the majority of installations.

“So why did CISA et al issue the advisory? In part, because if they weren’t on record doing so and a compromise were confirmed, it would have been a glaring gap,” he said. “It also gives owners and operators facing resource constraints more support in their requests, and it’s important not to underestimate how important that can be.”