Energy Sector Targeting Activity by Russian State-Sponsored Actors

On Friday evening, WaterISAC distributed an advisory to members on newly published reports regarding energy sector ICS targeting by Russian state-sponsored actors. The reports included a recent Joint Cybersecurity Advisory AA22-083A, Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector and an FBI Private Industry Notification (PIN) 20220324-001, TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS). AA22-083A details campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted U.S. and international energy sector organizations. The PIN warns that the group responsible for the deployment of TRITON (TRISIS) malware against a Middle East–based petrochemical plant’s safety instrumented system in 2017 continues to conduct activity targeting the global energy sector.

It is prudent to pay specific attention to activity reports that CISA and other federal partners publish, as they may be representative of currently identified cyber activity. As such, members are highly recommended to review the following reports for information regarding the potential for similar cyber threat activity and to apply a risk-based approach regarding mitigation actions, as not all recommendations may be appropriate for all environments/conditions.