Russia Cyber Threat Overview and Advisories

Russia MapThis page provides an overview of the Cybersecurity and Infrastructure Security Agency’s (CISA's) assessment of the Russian government’s malicious cyber activities. The overview leverages publicly available, open-source intelligence and information regarding this threat. This page also includes a complete list of related CISA publications, many of which are jointly authored with other U.S. government agencies (Note: unless specifically stated, neither CISA nor the U.S. Government attributed specific activity described in the referenced sources to Russian government actors). Additionally, this page provides instructions on how to report related threat activity.

The Russian government engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries.[1] Recent Advisories published by CISA and other unclassified sources reveal that Russian state-sponsored threat actors are targeting the following industries and organizations in the United States and other Western nations: COVID-19 research, governments, election organizations, healthcare and pharmaceutical, defense, energy, video gaming, nuclear, commercial facilities, water, aviation, and critical manufacturing. The same reporting associated Russian actors with a range of high-profile malicious cyber activity, including the 2020 compromise of the SolarWinds software supply chain, the 2020 targeting of U.S. companies developing COVID-19 vaccines, the 2018 targeting of U.S industrial control system infrastructure, the 2017 NotPetya ransomware attack on organizations worldwide, and the 2016 leaks of documents stolen from the U.S. Democratic National Committee.

According to the U.S. Office of the Director of National Intelligence 2021 Annual Threat Assessment, "Russia continues to target critical infrastructure, including underwater cables and industrial control systems, in the United States and in allied and partner countries, as compromising such infrastructure improves—and in some cases can demonstrate—its ability to damage infrastructure during a crisis." The Assessment states that "Russia almost certainly considers cyber attacks an acceptable option to deter adversaries, control escalation, and prosecute conflicts."[2]

Latest U.S. Government Report on Russian Malicious Cyber Activity

On July 20, 2021 the U.S. Government attributed previously published activity targeting industrial control systems to Russian nation-state cyber actors. See the following alerts and advisories that contain information on historical cyber-intrusion campaigns that have targeted ICS:

The Russian Malicious Cyber Activity section below lists all CISA Advisories, Alerts, and Malware Analysis Reports (MARs) on Russian malicious cyber activities. See CISA.gov/supply-chain-compromise for additional partner products.

Russian Malicious Cyber Activity

Much of the information contained in the Advisories, Alerts, and MARs listed below is the result of analytic efforts between CISA, the U.S. Department of Defense (DoD), and the Federal Bureau of Investigation (FBI) to provide technical details on the tools and infrastructure used by Russian state-sponsored cyber actors. The publications below include descriptions of Russian malicious cyber activity, technical details, and recommended mitigations. Users and administrators should flag activity associated with the information in the products listed in table 1 below, report the activity to CISA or FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

Table 1: CISA and Joint CISA Publications

Publication Date

Title

Description
July 20, 2021 These previously published ICS advisories and alerts contain information on historical cyber-intrusion campaigns by Russian nation-state cyber actors.
July 16, 2021

This Advisory details recent Tactics, Techniques and Procedures (TTPs) of the group commonly known as ‘APT29’, also known as ‘the Dukes’ or ‘Cozy Bear’. It also provides indicators of compromise as well as detection and mitigation advice.

July 1, 2021 This Advisory details how the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) has targeted hundreds of U.S. and foreign organizations using brute force access to penetrate government and private sector victim networks. The advisory reveals the tactics, techniques, and procedures (TTPs) GTsSS actors used in their campaign to exploit targeted networks, access credentials, move laterally, and collect and exfiltrate data.
May 14, 2021 This Analysis Report provides guidance to federal agencies in crafting eviction plans in response to the SolarWinds Orion supply chain compromise. The guidance is intended for  federal agencies with networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity. Although this guidance is tailored to federal agencies, CISA encourages critical infrastructure entities; state, local, tribal, and territorial government organizations; and private sector organizations to review and apply it, as appropriate. Note: For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
May 7, 2021 This Joint Cybersecurity Advisory (CSA) is on Russian SVR activities related to the SolarWinds Orion compromise. The CSA details SVR tactics, techniques, and procedures (TTPs) and on SVR-leveraged malware, including WELLMESS, WELLMAIL, GoldFinder, GoldMax, and possibly Sibot, as well as open-source Red Team command and control frameworks, Sliver and Cobalt Strike. Note: See FactSheet: Russian SVR Activities for summaries of three key Joint CSAs that detail Russian SVR activities related to the SolarWinds compromise. For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
April 26, 2021 This Joint CSA is on Russian SVR activities related to the SolarWinds Orion compromise. The CSA provides information on SVR TTPs. Specifically, this CSA points out the FBI's observation that, starting in 2018, the SVR shifted from "using malware on victim networks to targeting cloud resources, particularly e-mail, to obtain information." Significantly, SVR's compromise of Microsoft cloud environments following their SolarWinds Orion supply chain compromise is an example of this trend. Note: See FactSheet: Russian SVR Activities for summaries of three key Joint CSAs that detail Russian SVR activities related to the SolarWinds compromise. For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
April 15, 2021 This Joint CSA is on Russian SVR activities related to the SolarWinds Orion compromise. The CSA details the vulnerabilities the SVR is leveraging—as well as the techniques it is using—in its attempts to compromise U.S. and Allied networks. Note: See FactSheet: Russian SVR Activities for summaries of three key Joint CSAs that detail Russian SVR activities related to the SolarWinds compromise. For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
March 18, 2021

This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with the SolarWinds Orion supply chain compromise. Note: For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.

January 8, 2021 This Alert is a companion alert to CISA Alert: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. This Alert addresses the APT actor's tactics and techniques. Note: For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
December 17, 2020

 

 

This Alert focuses on an APT actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations. Note: For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
October 22, 2020 This Joint CSA provides information on Russian state-sponsored APT actor activity targeting various U.S. state, local, tribal, and territorial government networks, as well as aviation networks. This Advisory updates Joint CISA-FBI CSA: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.
October 9, 2020 This Joint CSA provides information on APT actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application.
April 16, 2018 This Joint Technical Alert provides information on the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the internet service providers supporting these sectors.
March 15, 2018 This Joint Technical Alert provides information on Russian government actions targeting U.S. government entities as well as critical infrastructure organizations. It also contains IOCs and technical details on the TTPs used by Russian government cyber actors on compromised victim networks.
July 1, 2017 This Technical Alert provides in-depth technical analysis of NotPetya malware, a Petya malware variant that surfaced on June 27, 2017. The U.S. Government has publicly attributed this NotPetya malware variant to the Russian military.
February 10, 2017 This Analysis Report provides signatures and recommendations to detect and mitigate threats from GRIZZLY STEPPE actors.
December 29, 2016 This Joint Analysis Report provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.

 

Report Activity Related to This Threat

CISA encourages all organizations to urgently report any additional information related to this threat. Users and administrators should flag associated activity, report the activity to CISA (see below) or FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

  • 1-888-282-0870 (From outside the United States: +1-703-235-8832)
  • Central@cisa.gov (UNCLASS)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at https://www.us-cert.cisa.gov/.

Mitigate and Detect This Threat

CISA recommends users and administrators review the publications in the Russian Malicious Cyber Activity section as well as the following resources for descriptions of tactics and techniques associated with this threat and recommended mitigations and detections. Note: unless specifically stated, neither CISA nor the U.S. Government attributed specific activity described in the referenced sources to Russian government actors.

Respond to an Incident

CISA recommends users and administrators consult the Joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, which details technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. This Joint Advisory is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.

References

[1] The White House | FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian Government | April 15, 2021 | URL: https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/

[2] U.S. Office of the Director of National Intelligence | 2021 Annual Threat Assessment | April 9, 2021 | URL: https://www.dni.gov/files/ODNI/documents/assessments/ATA-2021-Unclassified-Report.pdf