Western security agencies warn of threat to critical infrastructure from Russian hacking groups

Western security agencies warn of threat to critical infrastructure from Russian hacking groups

Image:
Western security agencies warn of threat to critical infrastructure from Russian hacking groups

Warning comes as Russian state-sponsored threat group Gamaredon launches attacks on targets in Ukraine

In a joint advisory issued on Wednesday, Western governments warned that evolving intelligence indicated that Russia was preparing to launch powerful cyberattacks against rivals who have backed Ukraine.

The cybersecurity agencies of the five allied nations - the United States, United Kingdom, Canada, Australia and New Zealand - said the Ukraine-Russia war meant organisations worldwide are at an elevated risk of cybercrime.

"Russia's invasion of Ukraine could expose organisations both within and beyond the region to increased malicious cyber activity," the US Cybersecurity & Infrastructure Security Agency (CISA) said in a post on its website.

CISA anticipates retaliation for the unprecedented economic sanctions imposed on Russia, as well as the material support provided to Ukraine by the US and its allies, it added.

Russia could also use cybercrime groups to undertake assaults on governments institutions, and enterprises in Western nations, according to the statement.

Some cybercrime groups have publicly pledged support for the Russian government or the Russian people since Russia's invasion of Ukraine in February 2022, and they have threatened to conduct cyber operations in retaliation for perceived attacks against Russia or material support for Ukraine.

"These Russian-aligned cybercrime groups likely pose a threat to critical infrastructure organisations."

Wednesday's alert said that Russian state-sponsored hackers may breach IT networks, steal massive amounts of data while going undetected, spread damaging malware, and shut down networks via DDoS attacks.

More than a dozen hacking outfits, both part of Russian intelligence and military bodies and privately run, were highlighted as potential threats in the advisory.

The cybersecurity authorities have now urged critical infrastructure network defenders to tighten their cyber defences and undertake due diligence in recognising signs of malicious behaviour in order to prepare for and mitigate any cyber threats.

The warning comes as cybersecurity firm Symantec stated on Wednesday that the Russian state-sponsored threat group Gamaredon (Armageddon/Shuckworm) is now attacking targets in Ukraine with at least four variants of Pteredo (Pteranodon) malware.

The attacks began in July 2021 with spear-phishing emails containing macro-laced Word documents.

These documents run a VBS file, which eventually drops a Pteranodon backdoor, which Gamaredon has been working on for around seven years.

The researchers discovered that different variants of Pteranodon used by hackers communicate with a distinct command-and-control (C&C) server.

"The most likely reason for using multiple variants is that it may provide a rudimentary way of maintaining persistence on an infected computer. If one payload or C&C server is detected and blocked, the attackers can fall back on one of the others and roll out more new variants to compensate," the analysis published by Symantec reads.

Gamaredon is a notorious advanced persistent threat group that has been active since 2013. It has targeted many Ukrainian organisations in recent years, and both security experts and Ukrainian security services believe it is operated directly by the Russian Federal Security Service.

Gamaredon is allegedly responsible for launching espionage and intelligence-gathering attacks on Ukrainian military forces.

In March 2020, Gamaredon was also observed taking advantage of the Covid-19 pandemic to trick targets.