Lord777
Professional
- Messages
- 2,577
- Reaction score
- 1,556
- Points
- 113
The United States has developed a detailed bulletin describing how to deal with Russian state-sponsored hackers and how to protect against their attacks. The document contains numerous recommendations for countering the "Russian cyber threat" and reports on the possibility of receiving up to $10 million for helping to catch such hackers. The Russian authorities deny any connection with the activities of virtual intruders, writes CNews.
Specialists from three US agencies worked on the document at once. Employees of the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) contributed to the creation of the manual. Why other US government and non-government organizations, such as the Central Intelligence Agency (CIA), were not allowed to work on the instruction remains unknown.
The document also contains information about substantial rewards for helping to catch foreign hackers.
It should be noted that the Russian authorities regularly deny their involvement in cyber attacks on American government agencies and private organizations.
Along with this, the document contains actions to detect Russian hackers, guidelines for responding to incidents, and methods to mitigate the consequences of attacks.
There are only three basic recommendations in the manual, and the first of them is called "Be prepared". It includes, among other things, the most complete staffing of cybersecurity specialists and the preparation of a clear plan for responding to cyber attacks. The authors of the manual also recommend developing a network and equipment sustainability plan and a business continuity plan so that critical functions and operations can continue to operate if computer networks and devices in them are compromised or need to be disabled for one reason or another.
The second recommendation states that it is necessary to follow the advice of specialists on setting up and using cybersecurity systems. The third option is to constantly monitor developments in the field of information security in order to be aware of potential threats and be able to prepare for them in advance.
It also provides examples of vulnerabilities that are most often used by Russian ART groups, and lists cases when hackers attacked critical information infrastructure entities (CII).
The authors of the manual also included examples of attacks by Russian hackers on various critical facilities in the United States, including the military-industrial base, as well as on the health and public health sectors, energy, telecommunications and government agencies. In particular, examples are given of several hacks on government networks between September and December 2020 and regular attacks on the US energy sector that ART groups carried out from 2011 to 2018 inclusive.
"These Russian state-sponsored APT hackers conducted a multi-stage intrusion campaign, during which they gained remote access to U.S. and international energy sector networks, deployed malware targeting the automated process control system (APCS), and collected and deleted corporate and CII-related data." - it says in the manual.
A separate example is the attacks of Russian hackers on the Ukrainian CII in 2015 and 2016. The authors also gave examples of a number of strategies and methods used by cybercriminals to carry out successful attacks.
Their first advice is to regularly collect and properly store network and service logs. "Without centralized logging and monitoring capabilities, organizations have limited capacity to investigate incidents or detect malicious activity described in this bulletin," the authors warn.
They also advise you to look for "traces" and "behavioral evidence" indicating the presence of Russian hackers in their network, based on the examples of their actions listed in the manual. "To detect password tampering, review the authentication logs for login failures and applications for valid accounts. Look for multiple failed authentication attempts in multiple accounts, " the authors recommend.
At the same time, they suggest looking in the logs for examples of using the same suspicious IP address to log in under multiple accounts and situations when the same user logs in to the network from under different IP addresses located at a significant geographical distance. According to the authors, this method of detecting Russian hackers is not always reliable, since many people currently use VPNs.
The bulletin also contains other ways to identify cybercriminals. For example, it provides advice on how to search logs for examples of suspicious use of elevated accounts after resetting passwords. It is also recommended to look for atypically high activity in accounts that have not been used for a long time.
As recommendations for protecting against hacking or mitigating its consequences, the authors recommend immediately isolating networks when suspicious activity is detected and reporting the incident to the FBI or ACBI. They also recommend making regular backups.
For information that allows you to identify a hacker or determine his location, the US authorities pay very well. A person who has such information can receive up to $10 million for it.
Fighting Russian hackers "for dummies"
US intelligence agencies have developed detailed instructions on how to counter Russian hackers sponsored by the state. The document is a 12-page manual that describes methods for protecting against the" Russian cyber threat " and identifying intruders, as well as lists the main techniques used by hackers from Russia.Specialists from three US agencies worked on the document at once. Employees of the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) contributed to the creation of the manual. Why other US government and non-government organizations, such as the Central Intelligence Agency (CIA), were not allowed to work on the instruction remains unknown.
The document also contains information about substantial rewards for helping to catch foreign hackers.
It should be noted that the Russian authorities regularly deny their involvement in cyber attacks on American government agencies and private organizations.
Basic recommendations
The authors called their manual " Cybersecurity Advisory (CSA). It provides an analysis of cyber attacks sponsored, according to the creators, by the Russian government, as well as generally accepted tactics, techniques and procedures of hackers.Along with this, the document contains actions to detect Russian hackers, guidelines for responding to incidents, and methods to mitigate the consequences of attacks.
There are only three basic recommendations in the manual, and the first of them is called "Be prepared". It includes, among other things, the most complete staffing of cybersecurity specialists and the preparation of a clear plan for responding to cyber attacks. The authors of the manual also recommend developing a network and equipment sustainability plan and a business continuity plan so that critical functions and operations can continue to operate if computer networks and devices in them are compromised or need to be disabled for one reason or another.
The second recommendation states that it is necessary to follow the advice of specialists on setting up and using cybersecurity systems. The third option is to constantly monitor developments in the field of information security in order to be aware of potential threats and be able to prepare for them in advance.
Technical details
The next section of the manual focuses on the technical details of hacking allegedly carried out by government-sponsored Russian hackers. It lists their most popular techniques, including phishing, exploiting vulnerabilities, and searching for low-security accounts and networks.It also provides examples of vulnerabilities that are most often used by Russian ART groups, and lists cases when hackers attacked critical information infrastructure entities (CII).
The authors of the manual also included examples of attacks by Russian hackers on various critical facilities in the United States, including the military-industrial base, as well as on the health and public health sectors, energy, telecommunications and government agencies. In particular, examples are given of several hacks on government networks between September and December 2020 and regular attacks on the US energy sector that ART groups carried out from 2011 to 2018 inclusive.
"These Russian state-sponsored APT hackers conducted a multi-stage intrusion campaign, during which they gained remote access to U.S. and international energy sector networks, deployed malware targeting the automated process control system (APCS), and collected and deleted corporate and CII-related data." - it says in the manual.
A separate example is the attacks of Russian hackers on the Ukrainian CII in 2015 and 2016. The authors also gave examples of a number of strategies and methods used by cybercriminals to carry out successful attacks.
Recommendations for detection and protection
The document authored by AKBI, the FBI and the NSA states that Russian hackers, backed by the state, are able to maintain permanent and long-term access to their compromised corporate and cloud environments. In this regard, the creators of the manual strongly advise you to follow two basic recommendations to identify the "Russian trace".Their first advice is to regularly collect and properly store network and service logs. "Without centralized logging and monitoring capabilities, organizations have limited capacity to investigate incidents or detect malicious activity described in this bulletin," the authors warn.
They also advise you to look for "traces" and "behavioral evidence" indicating the presence of Russian hackers in their network, based on the examples of their actions listed in the manual. "To detect password tampering, review the authentication logs for login failures and applications for valid accounts. Look for multiple failed authentication attempts in multiple accounts, " the authors recommend.
At the same time, they suggest looking in the logs for examples of using the same suspicious IP address to log in under multiple accounts and situations when the same user logs in to the network from under different IP addresses located at a significant geographical distance. According to the authors, this method of detecting Russian hackers is not always reliable, since many people currently use VPNs.
The bulletin also contains other ways to identify cybercriminals. For example, it provides advice on how to search logs for examples of suspicious use of elevated accounts after resetting passwords. It is also recommended to look for atypically high activity in accounts that have not been used for a long time.
As recommendations for protecting against hacking or mitigating its consequences, the authors recommend immediately isolating networks when suspicious activity is detected and reporting the incident to the FBI or ACBI. They also recommend making regular backups.
Passed the hacker-became a millionaire
According to the information provided in the bulletin, any valuable information that contributes to the capture of a hacker attacking an American cue can make the person who provides it rich. First of all, this applies to hackers who are backed by a foreign government, including the Russian one.For information that allows you to identify a hacker or determine his location, the US authorities pay very well. A person who has such information can receive up to $10 million for it.
