Reports: Russian IPs Scanning US Energy Firms, OthersBulletin Reportedly Issued Just Days Before Biden Warned of Cyber Activity
Just days before U.S. President Joe Biden warned that intelligence is pointing toward potential Russian cyberattacks against the U.S., the FBI reportedly issued an urgent bulletin contending that Russian IP addresses have conducted network scanning activity on at least five U.S. energy firms.
According to CBS News, which first broke the news, the activity has been pegged to threat actors who "previously conducted destructive cyber activity against foreign critical infrastructure."
The FBI bulletin was reportedly issued Friday. The president addressed growing Russian cyberthreats on Monday.
In a statement, Biden said: "Today, my administration is reiterating warnings based on evolving intelligence that the Russian government is exploring options for potential cyberattacks. … [We] will continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks against critical infrastructure. … [And] we need everyone to do their part to meet one of the defining threats of our time" (see: Illicit Crypto Activity Detected by US Treasury Department).
Now, the bureau is reportedly saying that the activity of the cited Russian IP addresses likely amounts to network reconnaissance to identify vulnerabilities to enable (potential) future intrusions. The FBI has cited 140 IP addresses it says connect to "abnormal scanning" activity toward the aforementioned U.S. firms, CBS News reports. Some 18 other U.S. companies across the defense industrial base, financial services and information technology were also reportedly targeted.
According to the same report, the bureau detected the anomalous activity beginning March 2021.
FBI officials also reportedly are seeing an uptick in scanning since Feb. 24, the start of Russia's invasion of Ukraine. Officials reportedly say the IPs have been "previously identified" actively exploiting foreign victims, leading to the "destruction" of their systems. The FBI has also provided indicators of compromise - though the addresses, at this time, cannot be directly tied to successful exploitation, officials say.
'Call Us If You See Something Suspicious'
In a statement on Tuesday, the FBI said: "The FBI, along with our federal partners, remains committed to investigating and combating any malicious cyber activity targeting the U.S. The FBI has consistently disseminated public threat advisories warning about these activities conducted by Russian cyber actors. We continue to share information proactively with our private sector partners to identify targeting and prevent incidents. We encourage the public to report any suspicious cyber activity to www.ic3.gov."
FBI officials urge those in the public sector to use strong passwords and multifactor authentication and to perform patching and regular software updates.
The bureau encourages network defenders in the private sector to review recent cybersecurity advisories and continually review alerts from the Cybersecurity and Infrastructure Security Agency.
"Know if your company has any connectivity in Russia and surrounding territories," the bureau states. "Exercise cybersecurity incident response plans, and, if compromised, the FBI encourages reporting information promptly to the local FBI field office."
Earlier this month, the U.S. Congress passed an omnibus spending bill that carries a mandatory cyber incident reporting provision for critical infrastructure providers - within 72 hours - and reporting within 24 hours after any ransom payment is made (see: US Congress Passes Cyber Incident Reporting Mandate).
Commenting on the FBI's bulletin, Rajiv Pimplaskar, CEO of the security firm Dispersive Holdings Inc., tells ISMG: "Nation-states have virtually unlimited compute and people resources at their disposal, and their toolkits can be highly effective against industry standard(s). … Nation-state toolkits can use public cloud as a gateway to get underneath the encryption layer and capture the data flow itself for future analysis."
Pimplaskar adds: "Critical infrastructure companies should bolster their cyber defense posture with advanced communications security that can obfuscate resources, as well as leverage data multi-pathing to present a harder target for such threat actors."
'A Call to Action'
Biden's remarks this week align with similar comments from Anne Neuberger, his deputy national security adviser for cyber and emerging technology, who cited Russian "preparatory activity" targeting U.S. networks.
"To be clear, there is no certainty there will be a cyber incident on critical infrastructure," said Neuberger. "This is a call to action and a call to responsibility for all of us."
It comes on the heels of IT officials in Ukraine citing a dramatic uptick in cyberattacks targeting their infrastructure. In fact, last week, the government reported that it had counted 3,000 DDoS attacks since the outbreak of the war - including a single-day record of 275 (see: Russia Says It's Seen 'Unprecedented' Level of Cyberattacks).
In a statement last week, Ukraine's State Service of Special Communication and Information Protection said: "Russia's aggression, the intensity of cyberattacks against Ukraine's vital information infrastructure hasn't decreased. While Russian missiles are targeting physical infrastructure of communication and broadcasting, Russian hackers are targeting our information infrastructure."
Viktor Zhora, deputy chairman of the same Ukrainian agency, said last week: "Russian hackers most often attacked the information resources of government agencies, institutions and companies in the financial and telecommunications sectors. Despite their efforts, all the services are working and available to the consumers."
Though much of the activity has remained within Ukraine's borders, foreign policy and cybersecurity experts have long feared that the Russian regime may activate its elite hackers to target Western infrastructure - particularly as its economy reels from crippling economic sanctions.
Last week, Ukraine reportedly linked its electric grid to continental Europe, removing a previous dependency on Russian infrastructure. This followed several cyberattacks targeting Ukraine's grid in 2015 and 2016.
Amid the warnings, ongoing Ukrainian cyber activity, and the larger ground war, Biden is expected to travel to Belgium this week for a NATO summit and will also visit Poland, which has received millions of Ukrainian refugees.
In his statement on Monday, Biden said: "I have previously warned about the potential that Russia could conduct malicious cyber activity against the U.S. … It’s part of Russia's playbook."
CISA, UK Activity
Also this week, CISA convened a three-hour call with more than 13,000 industry stakeholders around the potential for Russian cyberattacks, the agency said in a statement.
The agency advised all organizations - large and small - "to act now to protect themselves against malicious cyber activity."
In a separate statement, CISA Director Jen Easterly said: "We will continue working closely with our federal and industry partners to monitor the threat environment 24/7 and we stand ready to help organizations respond to and recover from cyberattacks."
The United Kingdom, a key U.S. ally, this week also echoed the Biden administration's warning.
The U.K.'s National Cyber Security Center, or NCSC, said in an alert: "In heightened periods of international tension, all organizations should be vigilant to cyber risks, and for several months the NCSC has been advising organizations to bolster their cybersecurity.
"The NCSC has already published actionable guidance for organizations to reduce their risk of cyber compromises. [And] while the NCSC are unaware of specific, targeted threats to the U.K. resulting from Russia's illegal invasion of Ukraine, we recommend organizations follow this advice as a priority."