A Close Call: The Threat of Russian Cyber Actors to U.S. Critical Infrastructure

In a chilling revelation at the MITRE ATT&CKcon event in McLean, Virginia, Mark Singer, the Threat Branch Chief at the Cybersecurity and Infrastructure Security Agency (CISA), detailed a near breach of U.S. critical infrastructure by Russian state-sponsored threat actors in the lead-up to the February 2022 invasion of Ukraine. This incident underscores the persistent and evolving nature of cyber threats facing the United States, particularly from nation-state actors.

The Managed Service Provider Breach

Singer’s presentation focused on a significant breach involving a managed service provider (MSP) that delivered essential services to various critical infrastructure entities across the United States. The breach, which began in August 2021, went undetected for several months until CISA’s involvement in January 2022. By this time, the threat actors had gained substantial access to the MSP’s network, raising alarms about the potential implications for the MSP’s customers, which included a veritable "who’s who" of critical infrastructure organizations.

As CISA investigators delved deeper into the engagement, they discovered a "pretty severe compromise." The threat actors had reached a critical juncture in the MSP’s network, where they could collect, tamper with, and alter communications directed at the operational technology of the MSP’s clients. This included the ability to manipulate Industrial Control System (ICS) data and Modbus protocol communications, which are vital for the functioning of many critical infrastructure sectors.

A Narrow Escape from Catastrophe

The urgency of the situation prompted CISA to implement an "aggressive containment response," successfully evicting the threat actors from the network. However, the extent of the compromise remained unclear, leading CISA to take the unusual step of communicating with all of the MSP’s customers to assess the situation. Additionally, CISA maintained a presence on the network for four months to ensure that no residual threats remained.

As the situation unfolded, CISA forensic investigators continued to analyze logs from the incident. They discovered that the threat actors had attempted to regain access to the MSP’s network using compromised credentials just two days before Russia’s invasion of Ukraine. Singer expressed his concerns, stating, "It does make me a little bit queasy to this day that we made it by a week and we didn’t know it at the time. So quite an extraordinarily close call."

Collaboration with Ukraine’s CERT-UA

Singer acknowledged the invaluable assistance provided by CERT-UA, Ukraine’s national Computer Emergency Response Team, during this incident. Their collaboration was instrumental in addressing the threat and mitigating potential damage. Singer praised CERT-UA for its ongoing efforts, highlighting the importance of international cooperation in cybersecurity.

The Growing Threat Landscape

While the incident involving the MSP was alarming, Singer also pointed to the increasing threat posed by the People’s Republic of China (PRC). He suggested that the cyber threat from China may now surpass that of Russia, particularly with groups like Volt Typhoon infiltrating U.S. critical infrastructure in preparation for potential conflicts. Singer noted that the types of incidents CISA has been responding to are becoming increasingly concerning, emphasizing the need for vigilance.

China’s stated ambitions, including the desire to invade Taiwan by 2027, further heighten the stakes and the potential for major geopolitical conflict. In this context, the threat landscape is evolving rapidly, and cybersecurity professionals must remain alert to emerging risks.

The Ongoing Risk from Russian Threat Actors

Despite the focus on China, Singer cautioned that Russian FSB-linked threat groups remain highly active and capable of inflicting significant damage. He urged attendees to stay informed about Russian threats by following CERT-UA and emphasized the importance of collaboration and communication among cybersecurity professionals.

Conclusion: A Call for Humility and Vigilance

As the cyber threat landscape continues to evolve, the incident involving the MSP serves as a stark reminder of the vulnerabilities inherent in critical infrastructure. The close call with Russian threat actors underscores the need for robust cybersecurity measures and proactive threat hunting. Singer’s call for humility among cybersecurity professionals highlights the importance of fostering a culture of learning and collaboration to effectively combat these persistent threats.

In an era where cyber threats are increasingly sophisticated and state-sponsored, the need for vigilance, cooperation, and continuous improvement in cybersecurity practices has never been more critical. The lessons learned from this incident will undoubtedly shape the future of cybersecurity efforts in the United States and beyond.