Dive Brief:
- Federal authorities in the U.S. and eight other countries warn that threat groups affiliated with Russia’s military intelligence service are targeting global critical infrastructure and key resource sectors, according to a joint cybersecurity advisory released Thursday.
- Threat groups affiliated with a specialist unit of the Russian General Staff Main Intelligence Directorate have targeted government services, financial services, transportation systems, energy, and healthcare sectors of NATO members and countries in Europe, Central America and Asia, officials said in the advisory.
- “To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional EU countries,” authorities said in the advisory. The attackers have defaced victim websites, scanned infrastructure, and exfiltrated and leaked stolen data.
Dive Insight:
The threat group is primarily attempting to disrupt international aid to Ukraine, part of a broader yearslong effort that accelerated after Russia invaded Ukraine in February 2022.
U.S. cyber authorities have been warning about more sophisticated and dangerous activities tied to Russia. Other Russia-linked hackers attacked Microsoft’s internal systems starting in late November and stole credentials for federal agencies that could be used to compromise government departments, authorities said earlier this year.
Russia-linked cyberattackers are scanning for and exploiting known vulnerabilities the U.S. government warned organizations to patch. The detailed advisory explains how attackers are exploiting or preparing to exploit vulnerabilities, and adversaries are using these footholds for objectives critical infrastructure providers may not expect.
The expansive campaign involves reconnaissance with the aid of multiple scanning tools used to discover exploitable vulnerabilities on victim networks. Authorities said the Russia-linked attackers obtained exploit scripts from GitHub repositories and used them against victim infrastructure.
U.S. and international cyber authorities have observed active exploits of critical vulnerabilities in Atlassian Confluence Server and Data Center, Dahua IP cameras and Sophos Firewalls. Authorities have also observed threat groups obtaining active exploit scripts, but not exploiting, critical vulnerabilities in products from Atlassian, Microsoft and Red Hat.
The group is “known to use VPNs to anonymize their operational activity,” authorities said in the advisory. “These cyber actors commonly attempt to exploit weaknesses in internet-facing systems.”
The latest activities are an extension of the Russia-backed group’s use of WhisperGate malware targeting Ukrainian victim organizations in early 2022.