Joint Cybersecurity Advisory on Energy Sector ICS Targeting by Russian State-Sponsored Actors, Including TRISIS/TRITON Malware
Created: Tuesday, March 29, 2022 - 17:40
Categories: Cybersecurity, OT-ICS Security, Security Preparedness
In response to unsealed indictments by the Department of Justice, federal agencies have published multiple reports regarding Russian state-sponsored cyber activity. Given the current threat climate, it is prudent to pay specific attention to activity reports that CISA and other federal partners publish, as they may be representative of identifiable cyber activity. As such, members are highly recommended to review the following reports for information regarding the potential for similar cyber threat activity and to apply a risk-based approach regarding mitigation actions, as not all recommendations may be appropriate for all environments/conditions.
Last week, the Department of Justice unsealed two indictments charging four Russian nationals who worked for the Russian government, with attempting, supporting, and conducting computer intrusions that targeted the global energy sector between 2012 and 2018. Additionally, CISA, the FBI, and Department of Energy released a joint Cybersecurity Advisory (CSA) AA22-083A, Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector detailing campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted U.S. and international Energy Sector organizations. The FBI concurrently published a Private Industry Notification (PIN) 20220324-001, TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS) warning that the group responsible for the deployment of TRITON (TRISIS) malware against a Middle East–based petrochemical plant’s safety instrumented system in 2017 continues to conduct activity targeting the global energy sector.
For a comprehensive list of additional resources we have been tracking regarding Russian cyber activity, visit Keep Your Shields Up, Don’t Panic, and Bolster Resilience Against Potential Russian Cyber Attacks on Critical Infrastructure in the WaterISAC Resource Center.
Resources
- State-Sponsored Russian Cyber Actors Targeted Energy Sector from 2011 to 2018 (CISA)
- AA22-083A – Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector (Joint CSA from CISA, FBI, DoE)
- TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS) (FBI PIN)
- Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide – Defendants’ Separate Campaigns Both Targeted Software and Hardware for Operational Technology Systems (Department of Justice)
Incident Reporting
WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector.