A detailed bulletin has been developed in the United States describing how to combat government-sponsored Russian hackers and how to defend against their attacks. The document contains numerous recommendations for countering the “Russian cyber threat” and reports on the possibility of receiving up to $ 10 million for help in catching such hackers. The Russian authorities have denied any connection with the activities of the virtual attackers.
Fight against Russian hackers “for dummies”
US intelligence agencies have developed detailed instructions on how to counter state-sponsored Russian hackers. The document is a 12-page manual, which describes methods of protection against the “Russian cyber threat” and identifying intruders, as well as lists the main techniques used by hackers from Russia.
Specialists from three American departments worked on the document at once. Employees of the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) contributed to the creation of the manual. Why other government and near-government American organizations, for example, the Central Intelligence Agency (CIA), were not allowed to work on the instruction, remains unknown.
The document also contains information about a solid reward for helping to catch foreign hackers.
Information about Russian hackers can be sold to Americans for $ 10 million
Note that the Russian authorities regularly deny their involvement in cyberattacks on American government agencies and private organizations.
The authors called their training manual the Cybersecurity Advisory (CSA). It provides a breakdown of cyberattacks allegedly sponsored by the Russian government, as well as common hacker tactics, techniques, and procedures.
Along with this, the document contains actions to detect Russian hackers, guidelines for responding to incidents, as well as methods to mitigate the consequences of attacks.
There are only three basic recommendations in the manual, and the first of them is called “Be prepared”. This includes, among other things, fully staffing the cybersecurity team and preparing a clear plan to respond to cyber attacks. The authors of the manual also recommend developing a plan for ensuring the resilience of the network and equipment and a plan for ensuring the continuity of operations so that critical functions and operations can continue to work if computer networks and devices in them are compromised, or they need to be turned off for one reason or another.
The second recommendation talks about the need to follow the advice of experts on setting up and using cybersecurity systems. The third proposes to constantly monitor developments in the field of information security in order to be aware of potential threats and to be able to prepare in advance for them.
The next section of the manual focuses on the technical details of the hack allegedly behind government-sponsored Russian hackers. It lists their favorite tactics, including phishing, exploiting vulnerabilities, and finding low-security accounts and networks.
It also provides examples of vulnerabilities that are most often used by Russian ART groups, and lists cases when hackers attacked subjects of critical information infrastructure (CII).
Favorite vulnerabilities of Russian hackers
The authors of the manual and examples of attacks by Russian hackers on various critical US facilities, including the military-industrial base, as well as the health and public health sectors, energy, telecommunications and government agencies, were not spared. In particular, it provides examples of several hacks of government networks between September and December 2020 and regular attacks on the US energy sector by ART groups from 2011 to 2018 inclusive.
“These Russian state-sponsored APT hackers conducted a multi-stage invasion campaign in which they gained remote access to the US and international energy sector networks, deployed malware targeting an automated process control system (ICS), and collected and removed corporate data and data related to CII ”, – says the manual.
How to get started with big data without capital expenditures
A separate example is the attacks of Russian hackers on the Ukrainian KII in 2015 and 2016. The authors also provided examples of a number of strategies and methods used by cybercriminals to carry out successful attacks.
Common tactics and techniques used by Russian state-sponsored ART groups
Detection and protection recommendations
The document, authored by AKBI, FBI and NSA, indicates that Russian hackers, behind whom the state is behind, are able to maintain constant and long-term access to corporate and cloud environments that they have compromised. In this regard, the creators of the manual strongly advise you to follow two basic recommendations to identify the “Russian trace”.
Their first tip is to regularly collect and properly store network and service logs. “Without the ability to centrally collect logs and monitor it, organizations have limited ability to investigate incidents or detect the attackers described in this bulletin,” warn the authors.
They also advise to look for “traces” and “behavioral evidence” indicating the presence of Russian hackers in their network, based on the examples of their actions listed in the manual. “Look at the authentication logs for logon failures and applications for valid accounts to detect brute-forcing passwords. Look for multiple failed authentication attempts across multiple accounts, ”the authors recommend.
10 Easy Steps: How to Keep CII Safe
At the same time, they suggest looking in the logs for examples of using the same suspicious IP address to log in under several account addresses and situations when the same user logs into the network from different IP addresses located at a significant geographic distance. According to the authors, this method of detecting Russian hackers is not always reliable, since many are currently using VPN.
The bulletin contains other ways to identify cybercriminals. For example, it provides advice on looking in the logs for suspicious use of elevated accounts after a password reset. It is also recommended to look for atypically high activity in accounts that have not been used for a long time.
As a guide to protecting against hacking or mitigating the consequences, the authors recommend instantly isolating networks when suspicious activity is detected and reporting the incident to the FBI or ACI. They also advise making regular backups.
Turned in a hacker – became a millionaire
According to the information provided in the bulletin, any valuable information that contributes to the capture of a hacker attacking the American CII can make the one who provides it rich. First of all, this applies to hackers, who are backed by a foreign government, including the Russian one.
For information that allows you to identify a hacker or determine his location, the US authorities pay very well. A person who possesses such information can receive up to $ 10 million for it (748.4 million rubles at the exchange rate of the Central Bank as of January 12, 2022).