The cybersecurity agencies of the United States, Britain, Australia, Canada and New Zealand – which together form the Five Eyes intelligence-sharing alliance – released a joint Cybersecurity Advisory (CSA) warning organisations that Russia may be targeting Critical Infrastructure within Ukraine and beyond her borders. There has been “an increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups”. This advice comes just days after CISA posted another alert regarding Russia state-actors targeting SCADA devices and systems.
“This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners,” the U.S. Cybersecurity & Infrastructure Security Agency (CISA) said in a statement on its website.
Russian Cybercriminal groups have also pledge to support Russia with its war against Ukraine.
ITC-TI recommendations and Mitigations
If operating in a cloud environment make sure your organisation has strong security controls and hardening of systems, these include but are not limited to:
- Enforce MFA
- Patch all systems
- Secure a monitor remote desktop (RDP)
- Routinely review user-created email forwarding rules and alerts, or restrict forwarding
- Scan for what ports are open and closed
- Monitor for unusual network traffic both in and outbound
- Review Active Directory (AD) sign in logs
- User education regarding opening documents and links
- Ensure defensive operations and programs are up to date – antivirus/antimalware.
- Use publicly available resources to identify credential abuse within cloud environments
Within our 24×7 operations centre, ITC is carrying out threat hunting across all our customers to establish if there has been any malicious activity matching the IOCs and TTPs in relation to the contents of this roundup.
For our Sentinel customers, we continue to build and refine analytical rules to detect specific tactics used by threat actors and, as new IOCs become available, to look for historical signs of compromise. These IOCs are then fed into a long-term watchlist that is matched regularly against customer environments to detect future signs of compromise.