Critical national infrastructure is at “increased risk of malicious cyber activity” perpetrated by Russia, according a warning by the UK and its allies in the ‘Five Eyes’ security alliance. A rare joint advisory from the Five Eyes nations states that the war in Ukraine and the sanctions imposed on Russia mean the threat to infrastructure has increased in recent days.
“Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks,” reads the statement issued by the UK’s National Cyber Security Centre (NCSC), its US equivalent CISA and their colleagues in Australia, New Zealand and Canada late on Wednesday.
The advisory names Russian government organisations including its Foreign Intelligence Service (FSB), the Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU) and the Russian Ministry of Defence, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM) as potential perpetrators of attacks, and details previous attacks, as well as ways to mitigate future malicious activity.
Cybercrime gangs listed in the report include the CoomingProject, Killnet, Mummy Spider, Salty Spider, Scully Spider, Smokey Spider, Wizard Spider and the Xaknet Team, many of which have publicly announced their support of Russia’s war in Ukraine.
“Threats to critical infrastructure remain very real,” said NSA cybersecurity director Rob Joyce. “The Russia situation means you must invest and take action.”
Is a Russian cyberattack on critical infrastructure imminent?
Fears of increased Russian cyber activity have been raised since the war in Ukraine began, but so far attacks have had limited impact. Experts told Tech Monitor that most attacks relating to the conflict have been “no more than a nuisance“. The statement from the Five Eyes countries suggests this could be changing.
“This is certainly a serious concern for the US, UK, and their allies and deserves to be taken more seriously than your average bulletin,” says Chet Wisniewski, principal research scientist at security company Sophos.
Sophisticated cyber weapons have not been used against Western critical national infrastructure yet, but Poppy Gustafsson, CEO of security company Darktrace, says the action of the Five Eyes allies suggests such an attack is inevitable.
“We can say with a degree of confidence that the Russian state and state-affiliated actors have novel and destructive cyberattacks in their arsenal and it is only a matter of time before these are deployed,” Gustafsson says. “The warning from the Five Eyes serves as another reminder of the urgency with which defenders must act to ensure their digital assets are protected.”
How will critical national infrastructure be protected?
CISA in the US has issued “shields up” guidance, a set of technical guidance notes to help US organisations fend off attacks by Russian affiliates. These include enforcing multi-factor authentication and disabling ports and protocols that are not essential. Gustafsson says these measures are unlikely to go far enough in the face of a sustained attack. “These defenders can only take a ‘shields up’ approach so far – we must augment security teams with advanced technology that can spot, stop and investigate attacks on their behalf,” she argues.
As part of the Five Eyes warning, Lindy Cameron, CEO of the NCSC, said it is “vital that all organisations accelerate plans to raise their overall cyber resilience, particularly those defending our most critical assets.” But if an organisation or element of critical national infrastructure is not currently appropriately protected, it is probably too late, explains Chris Grove, director of cybersecurity strategy at Nozomi Networks: “If operators of critical infrastructure aren’t already doing those things, they should stop now, assume they’ve been breached, and start thinking about resilience, consequence reduction, and the impact to safety,” he says.
Grove continues: “The message should be loud and clear, Russian nexus-state actors are on the prowl, cyberspace has become a messy, hot war-zone, and everyone should be prepared for an attack from any direction. I believe that the primary goal of this alert is to ring that bell in the city square letting everyone know there’s a storm on the horizon.”