Malicious Russian Cyber Activity is Targeting Government Networks

On April 16, the U.S. Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the UK’s National Cyber Security Centre (NCSC) released a joint “Technical Alert” about malicious cyber activity carried out by the Russian Government.

According to the alert, “[t]he targets of this malicious cyber activity are primarily government and private-sector organizations, critical infrastructure providers, and the internet service providers (ISPs) supporting these sectors.”

The techniques used by Russian actors exploit basic weaknesses in network systems. Specifically, these malicious cyber activities can target local government network infrastructure such as routers, switches, firewalls to compromise government services and extract intellectual property, compromise login credentials, and potentially lay a foundation for future attacks.

According to Howard Marshall, FBI Deputy Assistant Director, “The activity highlighted [in the alert] is part of a repeated pattern of disruptive and harmful malicious cyber action carried out by the Russian government.”

[blog_subscription_form title=”Subscribe to CitiesSpeak” subscribe_text=”Get the essential news and tools for city leadership, delivered daily by email.” subscribe_button=”Submit”]

The alert states that, “Russian cyber actors leverage a number of legacy or weak protocols associated with network administration activities.” The attackers can use these weaknesses to:

  • identify vulnerable devices;
  • extract device configurations and data;
  • map internal network architectures;
  • harvest login credentials;
  • masquerade as privileged users;
  • modify device firmware, operating systems, configurations; and
  • copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.

Additionally, Russian cyber attackers could potentially modify or deny traffic traversing through local government routers.

Local government personnel, who are responsible for maintaining network infrastructure should read the alert (TA18-106A) and act on the recommended mitigation strategies. The alert contains indicators of compromise, technical details on the tactics, techniques and procedures (TTPs) and contextual information regarding networks of compromised victims.

If your city finds signs of the malicious activity described in TA18-106A, you are encouraged to report them to DHS’s National Cybersecurity and Communications Integration Center (NCCIC), FBI, NCSC or law enforcement immediately.

To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or (888) 282-0870 or the FBI through a local field office or its Cyber Division at CyWatch@fbi.gov or (855) 292-3937.

About the Author: Yucel (“u-jel”) Ors is the program director of public safety and crime prevention at the National League of Cities. Follow Yucel on Twitter at @nlcpscp.