Russian Government Cyber Operations Targeting US Government and Critical Infrastructure

On March 15, the US-CERT (United States-Computer Emergency Response Team) released a joint Technical Alert (TA) outlining the analytic efforts by the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) regarding Russian government targeting of US Government and Critical Infrastructure entities, including those in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. These cyber operations, perpetrated by known advanced persistent threat (APT) group “Dragonfly,” are described as a multi-stage intrusion campaign in which the threat actors installed malware, conducted spear-phishing attacks, and gained remote access to targeted networks. The actors then conducted network reconnaissance, moved laterally on the network, and collected sensitive information, including information related to industrial control systems (ICS). Additionally, according to cybersecurity software firm Cylance, the Dragonfly group recently exploited an end-of-life Cisco core router to harvest credentials and attempt to compromise energy companies in the UK. The NJCCIC recommends those entities which could be considered targets of Russian cyber activity review the TA and scan their systems with the indicators of compromise (IoCs) provided. If your organization has been impacted by the activity outlined in the TA, the NJCCIC recommends immediately removing the affected hosts from your network and contacting the NJCCIC via the Cyber Incident Report Form or by calling 609-963-6900 ext. 7865.