{ "id": "7fcb6537-cd90-4a0d-aa81-f4683e6dc5cb", "created_at": "2026-04-06T00:18:48.518223Z", "updated_at": "2026-04-10T03:37:16.469045Z", "deleted_at": null, "sha1_hash": "8d1ccc92afabfad274d33d9050f569ad6a8d0e64", "title": "Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 160957, "plain_text": "Understanding and Mitigating Russian State-Sponsored Cyber\r\nThreats to U.S. Critical Infrastructure | CISA\r\nPublished: 2022-03-01 · Archived: 2026-04-05 20:31:23 UTC\r\nSummary\r\nActions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber\r\nPosture.\r\n• Patch all systems. Prioritize patching known exploited vulnerabilities.\r\n• Implement multi-factor authentication.\r\n• Use antivirus software.\r\n• Develop internal contact lists and surge support.\r\nNote: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®)\r\nframework, version 10. See the ATT\u0026CK for Enterprise for all referenced threat actor tactics and techniques.\r\nThis joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency\r\n(CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing\r\ncybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk\r\npresented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations;\r\ncommonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance;\r\nand mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these\r\nthreats.\r\nCISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network\r\ndefenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the\r\nDetection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the\r\nrecommendations listed below and detailed in the Mitigations section. These mitigations will help organizations\r\nimprove their functional resilience by reducing the risk of compromise or severe business degradation.\r\n1. Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage.\r\nCreate, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations\r\nplan so that critical functions and operations can be kept running if technology systems are disrupted or\r\nneed to be taken offline.\r\n2. Enhance your organization’s cyber posture. Follow best practices for identity and access management,\r\nprotective controls and architecture, and vulnerability and configuration management.\r\n3. Increase organizational vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing\r\nlist and feeds to receive notifications when CISA releases information about a security topic or threat.\r\nCISA, the FBI, and NSA encourage critical infrastructure organization leaders to review CISA Insights: Preparing\r\nfor and Mitigating Cyber Threats for information on reducing cyber threats to their organization.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nPage 1 of 11\n\nClick here for a PDF version of this report.\r\nTechnical Details\r\nHistorically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective\r\ntactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks\r\nwith weak security—to gain initial access to target networks. Vulnerabilities known to be exploited by Russian\r\nstate-sponsored APT actors for initial access include:\r\nCVE-2018-13379 FortiGate VPNs\r\nCVE-2019-1653 Cisco router\r\nCVE-2019-2725 Oracle WebLogic Server\r\nCVE-2019-7609 Kibana\r\nCVE-2019-9670 Zimbra software\r\nCVE-2019-10149 Exim Simple Mail Transfer Protocol\r\nCVE-2019-11510 Pulse Secure\r\nCVE-2019-19781 Citrix\r\nCVE-2020-0688 Microsoft Exchange\r\nCVE-2020-4006 VMWare (note: this was a zero-day at time.)\r\nCVE-2020-5902 F5 Big-IP\r\nCVE-2020-14882 Oracle WebLogic\r\nCVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction\r\nwith CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)\r\nRussian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by\r\ncompromising third-party infrastructure, compromising third-party software, or developing and deploying custom\r\nmalware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in\r\ncompromised environments—including cloud environments—by using legitimate credentials.\r\nIn some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have\r\nspecifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive\r\nmalware. See the following advisories and alerts for information on historical Russian state-sponsored cyber-intrusion campaigns and customized malware that have targeted ICS:\r\nICS Advisory ICS Focused Malware – Havex\r\nICS Alert Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)\r\nICS Alert Cyber-Attack Against Ukrainian Critical Infrastructure\r\nTechnical Alert CrashOverride Malware\r\nCISA MAR HatMan: Safety System Targeted Malware (Update B)\r\nCISA ICS Advisory Schneider Electric Triconex Tricon (Update B)\r\nRussian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and\r\ninternational critical infrastructure organizations, including those in the Defense Industrial Base as well as the\r\nHealthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors. High-profile\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nPage 2 of 11\n\ncyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal\r\nactions includes:\r\nRussian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments\r\nand aviation networks, September 2020, through at least December 2020. Russian state-sponsored APT\r\nactors targeted dozens of SLTT government and aviation networks. The actors successfully compromised\r\nnetworks and exfiltrated data from multiple victims.\r\nRussian state-sponsored APT actors’ global Energy Sector intrusion campaign, 2011 to 2018. These\r\nRussian state-sponsored APT actors conducted a multi-stage intrusion campaign in which they gained\r\nremote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and\r\ncollected and exfiltrated enterprise and ICS-related data.\r\nRussian state-sponsored APT actors’ campaign against Ukrainian critical infrastructure, 2015 and\r\n2016. Russian state-sponsored APT actors conducted a cyberattack against Ukrainian energy distribution\r\ncompanies, leading to multiple companies experiencing unplanned power outages in December 2015. The\r\nactors deployed BlackEnergy malware to steal user credentials and used its destructive malware\r\ncomponent, KillDisk, to make infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride\r\nmalware specifically designed to attack power grids.\r\nFor more information on recent and historical Russian state-sponsored malicious cyber activity, see the referenced\r\nproducts below or cisa.gov/Russia.\r\nJoint FBI-DHS-CISA CSA Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best\r\nPractices for Network Defenders\r\nJoint NSA-FBI-CISA CSA Russian GRU Conducting Global Brute Force Campaign to Compromise\r\nEnterprise and Cloud Environments\r\nJoint FBI-CISA CSA Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S.\r\nGovernment Targets\r\nJoint CISA-FBI CSA APT Actors Chaining Vulnerabilities against SLTT, Critical Infrastructure, and\r\nElections Organizations\r\nCISA’s webpage Remediating Networks Affected by the SolarWinds and Active Directory/M365\r\nCompromise\r\nCISA Alert Russian Government Cyber Activity Targeting Energy Sector and Other Critical Infrastructure\r\nSectors\r\nCISA ICS Alert: Cyber-Attack Against Ukrainian Critical Infrastructure\r\nTable 1 provides common, publicly known TTPs employed by Russian state-sponsored APT actors, which map to\r\nthe MITRE ATT\u0026CK for Enterprise framework, version 10. Note: these lists are not intended to be all inclusive.\r\nRussian state-sponsored actors have modified their TTPs before based on public reporting.[1 ] Therefore, CISA,\r\nthe FBI, and NSA anticipate the Russian state-sponsored actors may modify their TTPs as they deem necessary to\r\nreduce their risk of detection. \r\nTable 1: Common Tactics and Techniques Employed by Russian State-Sponsored APT Actors\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nPage 3 of 11\n\nTactic Technique Procedure\r\nReconnaissance\r\n[TA0043 ]\r\nActive Scanning:\r\nVulnerability Scanning\r\n[T1595.002 ]\r\n \r\nRussian state-sponsored APT actors have performed\r\nlarge-scale scans in an attempt to find vulnerable\r\nservers.\r\nPhishing for Information\r\n[T1598 ]\r\nRussian state-sponsored APT actors have conducted\r\nspearphishing campaigns to gain credentials of target\r\nnetworks.\r\nResource\r\nDevelopment\r\n[TA0042]\r\nDevelop Capabilities:\r\nMalware [T1587.001 ]\r\nRussian state-sponsored APT actors have developed\r\nand deployed malware, including ICS-focused\r\ndestructive malware.\r\nInitial Access\r\n[TA0001 ]\r\nExploit Public Facing\r\nApplications [T1190 ]\r\nRussian state-sponsored APT actors use publicly\r\nknown vulnerabilities, as well as zero-days, in\r\ninternet-facing systems to gain access to networks.\r\nSupply Chain Compromise:\r\nCompromise Software\r\nSupply Chain [T1195.002 ]\r\nRussian state-sponsored APT actors have gained\r\ninitial access to victim organizations by\r\ncompromising trusted third-party software. Notable\r\nincidents include M.E.Doc accounting software and\r\nSolarWinds Orion.\r\nExecution\r\n[TA0002 ]\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\n[T1059.003 ] and Windows\r\nCommand Shell [T1059.003\r\n]\r\nRussian state-sponsored APT actors have used\r\ncmd.exe to execute commands on remote machines.\r\nThey have also used PowerShell to create new tasks\r\non remote machines, identify configuration settings,\r\nexfiltrate data, and to execute other commands.\r\nPersistence\r\n[TA0003 ]\r\nValid Accounts [T1078 ]\r\nRussian state-sponsored APT actors have used\r\ncredentials of existing accounts to maintain persistent,\r\nlong-term access to compromised networks.\r\nCredential Access\r\n[TA0006 ]\r\nBrute Force: Password\r\nGuessing [T1110.001 ] and\r\nPassword Spraying\r\n[T1110.003 ]\r\nRussian state-sponsored APT actors have conducted\r\nbrute-force password guessing and password spraying\r\ncampaigns.\r\nOS Credential Dumping:\r\nNTDS [T1003.003 ]\r\nRussian state-sponsored APT actors have exfiltrated\r\ncredentials and exported copies of the Active\r\nDirectory database ntds.dit .\r\nSteal or Forge Kerberos\r\nTickets: Kerberoasting\r\nRussian state-sponsored APT actors have performed\r\n“Kerberoasting,” whereby they obtained the Ticket\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nPage 4 of 11\n\nTactic Technique Procedure\r\n[T1558.003 ] Granting Service (TGS) Tickets for Active Directory\r\nService Principal Names (SPN) for offline cracking.\r\nCredentials from Password\r\nStores [T1555 ]\r\nRussian state-sponsored APT actors have used\r\npreviously compromised account credentials to\r\nattempt to access Group Managed Service Account\r\n(gMSA) passwords.\r\nExploitation for Credential\r\nAccess [T1212 ]\r\nRussian state-sponsored APT actors have exploited\r\nWindows Netlogon vulnerability CVE-2020-1472 to\r\nobtain access to Windows Active Directory servers.\r\nUnsecured Credentials:\r\nPrivate Keys [T1552.004 ]\r\nRussian state-sponsored APT actors have obtained\r\nprivate encryption keys from the Active Directory\r\nFederation Services (ADFS) container to decrypt\r\ncorresponding SAML signing certificates.\r\nCommand and\r\nControl [TA0011\r\n]\r\nProxy: Multi-hop Proxy\r\n[T1090.003 ]\r\nRussian state-sponsored APT actors have used virtual\r\nprivate servers (VPSs) to route traffic to targets. The\r\nactors often use VPSs with IP addresses in the home\r\ncountry of the victim to hide activity among\r\nlegitimate user traffic.\r\nFor additional enterprise TTPs used by Russian state-sponsored APT actors, see the ATT\u0026CK for Enterprise pages\r\non APT29 , APT28 , and the Sandworm Team , respectively. For information on ICS TTPs see the ATT\u0026CK\r\nfor ICS pages on the Sandworm Team, BlackEnergy 3 malware, CrashOveride malware, BlackEnergy’s KillDisk\r\ncomponent, and NotPetya malware.\r\nDetection\r\nGiven Russian state-sponsored APT actors demonstrated capability to maintain persistent, long-term access in\r\ncompromised enterprise and cloud environments, CISA, the FBI, and NSA encourage all critical infrastructure\r\norganizations to:\r\nImplement robust log collection and retention. Without a centralized log collection and monitoring\r\ncapability, organizations have limited ability to investigate incidents or detect the threat actor behavior\r\ndescribed in this advisory. Depending on the environment, examples include:\r\nNative tools such as M365’s Sentinel.\r\nThird-party tools, such as Sparrow, Hawk, or CrowdStrike's Azure Reporting Tool (CRT), to review\r\nMicrosoft cloud environments and to detect unusual activity, service principals, and application\r\nactivity. Note: for guidance on using these and other detection tools, refer to CISA Alert Detecting\r\nPost-Compromise Threat Activity in Microsoft Cloud Environments.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nPage 5 of 11\n\nLook for behavioral evidence or network and host-based artifacts from known Russian state-sponsored\r\nTTPs. See table 1 for commonly observed TTPs.\r\nTo detect password spray activity, review authentication logs for system and application login\r\nfailures of valid accounts. Look for multiple, failed authentication attempts across multiple\r\naccounts.\r\nTo detect use of compromised credentials in combination with a VPS, follow the below steps:\r\nLook for suspicious “impossible logins,” such as logins with changing username, user agent\r\nstrings, and IP address combinations or logins where IP addresses do not align to the\r\nexpected user’s geographic location.\r\nLook for one IP used for multiple accounts, excluding expected logins.\r\nLook for “impossible travel.” Impossible travel occurs when a user logs in from multiple IP\r\naddresses that are a significant geographic distance apart (i.e., a person could not realistically\r\ntravel between the geographic locations of the two IP addresses during the time period\r\nbetween the logins). Note: implementing this detection opportunity can result in false\r\npositives if legitimate users apply VPN solutions before connecting into networks.\r\nLook for processes and program execution command-line arguments that may indicate\r\ncredential dumping, especially attempts to access or copy the ntds.dit file from a domain\r\ncontroller.\r\nLook for suspicious privileged account use after resetting passwords or applying user\r\naccount mitigations.\r\nLook for unusual activity in typically dormant accounts.\r\nLook for unusual user agent strings, such as strings not typically associated with normal user\r\nactivity, which may indicate bot activity.\r\nFor organizations with OT/ICS systems:\r\nTake note of unexpected equipment behavior; for example, unexpected reboots of digital controllers\r\nand other OT hardware and software.\r\nRecord delays or disruptions in communication with field equipment or other OT devices.\r\nDetermine if system parts or components are lagging or unresponsive.\r\nIncident Response\r\nOrganizations detecting potential APT activity in their IT or OT networks should:\r\n1. Immediately isolate affected systems.\r\n2. Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an\r\nantivirus program to ensure it is free of malware.\r\n3. Collect and review relevant logs, data, and artifacts.\r\n4. Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure\r\nthe actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.\r\n5. Report incidents to CISA and/or the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855)\r\n292-3937 or CyWatch@fbi.gov .\r\nNote: for OT assets, organizations should have a resilience plan that addresses how to operate if you lose access to\r\n—or control of—the IT and/or OT environment. Refer to the Mitigations section for more information.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nPage 6 of 11\n\nSee the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on\r\nTechnical Approaches to Uncovering and Remediating Malicious Activity for guidance on hunting or\r\ninvestigating a network, and for common mistakes in incident handling. CISA, the FBI, and NSA encourage\r\ncritical infrastructure owners and operators to see CISA’s Federal Government Cybersecurity Incident and\r\nVulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide\r\noperational procedures for planning and conducting cybersecurity incident and vulnerability response activities\r\nand detail each step for both incident and vulnerability response.  \r\nNote: organizations should document incident response procedures in a cyber incident response plan, which\r\norganizations should create and exercise (as noted in the Mitigations section). \r\nMitigations\r\nCISA, the FBI, and NSA encourage all organizations to implement the following recommendations to increase\r\ntheir cyber resilience against this threat.\r\nBe Prepared\r\nConfirm Reporting Processes and Minimize Coverage Gaps\r\nDevelop internal contact lists. Assign main points of contact for a suspected incident as well as roles and\r\nresponsibilities and ensure personnel know how and when to report an incident.\r\nMinimize gaps in IT/OT security personnel availability by identifying surge support for responding to an\r\nincident. Malicious cyber actors are known to target organizations on weekends and holidays when there\r\nare gaps in organizational cybersecurity—critical infrastructure organizations should proactively protect\r\nthemselves by minimizing gaps in coverage.\r\nEnsure IT/OT security personnel monitor key internal security capabilities and can identify anomalous\r\nbehavior. Flag any identified IOCs and TTPs for immediate response. (See table 1 for commonly observed\r\nTTPs).\r\nCreate, Maintain, and Exercise a Cyber Incident Response, Resilience Plan, and Continuity of Operations Plan\r\nCreate, maintain, and exercise a cyber incident response and continuity of operations plan.\r\nEnsure personnel are familiar with the key steps they need to take during an incident and are positioned to\r\nact in a calm and unified manner. Key questions:\r\nDo personnel have the access they need?\r\nDo they know the processes?\r\nFor OT assets/networks,\r\nIdentify a resilience plan that addresses how to operate if you lose access to—or control of—the IT\r\nand/or OT environment.\r\nIdentify OT and IT network interdependencies and develop workarounds or manual controls\r\nto ensure ICS networks can be isolated if the connections create risk to the safe and reliable\r\noperation of OT processes. Regularly test contingency plans, such as manual controls, so that\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nPage 7 of 11\n\nsafety critical functions can be maintained during a cyber incident. Ensure that the OT\r\nnetwork can operate at necessary capacity even if the IT network is compromised.\r\nRegularly test manual controls so that critical functions can be kept running if ICS or OT networks\r\nneed to be taken offline.\r\nImplement data backup procedures on both the IT and OT networks. Backup procedures should be\r\nconducted on a frequent, regular basis. Regularly test backup procedures and ensure that backups\r\nare isolated from network connections that could enable the spread of malware.\r\nIn addition to backing up data, develop recovery documents that include configuration settings for\r\ncommon devices and critical OT equipment. This can enable more efficient recovery following an\r\nincident.\r\nEnhance your Organization’s Cyber Posture\r\nCISA, the FBI, and NSA recommend organizations apply the best practices below for identity and access\r\nmanagement, protective controls and architecture, and vulnerability and configuration management.\r\nIdentity and Access Management\r\nRequire multi-factor authentication for all users, without exception.\r\nRequire accounts to have strong passwords and do not allow passwords to be used across multiple accounts\r\nor stored on a system to which an adversary may have access.\r\nSecure credentials. Russian state-sponsored APT actors have demonstrated their ability to maintain\r\npersistence using compromised credentials.\r\nUse virtualizing solutions on modern hardware and software to ensure credentials are securely\r\nstored.\r\nDisable the storage of clear text passwords in LSASS memory.\r\nConsider disabling or limiting New Technology Local Area Network Manager (NTLM) and\r\nWDigest Authentication.\r\nImplement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage\r\nWindows Defender Credential Guard for more information). For Windows Server 2012R2,\r\nenable Protected Process Light for Local Security Authority (LSA).\r\nMinimize the Active Directory attack surface to reduce malicious ticket-granting activity. Malicious\r\nactivity such as “Kerberoasting” takes advantage of Kerberos’ TGS and can be used to obtain\r\nhashed credentials that attackers attempt to crack.\r\nSet a strong password policy for service accounts.\r\nAudit Domain Controllers to log successful Kerberos TGS requests and ensure the events are monitored for\r\nanomalous activity.  \r\nSecure accounts.\r\nEnforce the principle of least privilege. Administrator accounts should have the minimum\r\npermission they need to do their tasks.\r\nEnsure there are unique and distinct administrative accounts for each set of administrative tasks.\r\nCreate non-privileged accounts for privileged users and ensure they use the non- privileged\r\naccounts for all non-privileged access (e.g., web browsing, email access).\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nPage 8 of 11\n\nProtective Controls and Architecture\r\nIdentify, detect, and investigate abnormal activity that may indicate lateral movement by a threat actor or\r\nmalware. Use network monitoring tools and host-based logs and monitoring tools, such as an endpoint\r\ndetection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as\r\nthey have insight into common and uncommon network connections for each host.\r\nEnable strong spam filters.\r\nEnable strong spam filters to prevent phishing emails from reaching end users.\r\nFilter emails containing executable files to prevent them from reaching end users.\r\nImplement a user training program to discourage users from visiting malicious websites or opening\r\nmalicious attachments.\r\nNote: CISA, the FBI, and NSA also recommend, as a longer-term effort, that critical infrastructure organizations\r\nimplement network segmentation to separate network segments based on role and functionality. Network\r\nsegmentation can help prevent lateral movement by controlling traffic flows between—and access to—various\r\nsubnetworks.\r\nAppropriately implement network segmentation between IT and OT networks. Network segmentation\r\nlimits the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a\r\ndemilitarized zone that eliminates unregulated communication between the IT and OT networks.\r\nOrganize OT assets into logical zones by taking into account criticality, consequence, and operational\r\nnecessity. Define acceptable communication conduits between the zones and deploy security controls to\r\nfilter network traffic and monitor communications between zones. Prohibit ICS protocols from traversing\r\nthe IT network.\r\nVulnerability and Configuration Management\r\nUpdate software, including operating systems, applications, and firmware on IT network assets, in a timely\r\nmanner. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA,\r\nand then critical and high vulnerabilities that allow for remote code execution or denial-of-service on\r\ninternet-facing equipment.\r\nConsider using a centralized patch management system. For OT networks, use a risk-based\r\nassessment strategy to determine the OT network assets and zones that should participate in the\r\npatch management program.  \r\nConsider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help\r\nreduce exposure to threats. CISA’s vulnerability scanning service evaluates external network\r\npresence by executing continuous scans of public, static IP addresses for accessible services and\r\nvulnerabilities.\r\nUse industry recommended antivirus programs.\r\nSet antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date\r\nsignatures.\r\nUse a risk-based asset inventory strategy to determine how OT network assets are identified and\r\nevaluated for the presence of malware.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nPage 9 of 11\n\nImplement rigorous configuration management programs. Ensure the programs can track and mitigate\r\nemerging threats. Review system configurations for misconfigurations and security weaknesses.\r\nDisable all unnecessary ports and protocols\r\nReview network security device logs and determine whether to shut off unnecessary ports and\r\nprotocols. Monitor common ports and protocols for command and control  activity.\r\nTurn off or disable any unnecessary services (e.g., PowerShell) or functionality within devices.\r\nEnsure OT hardware is in read-only mode.\r\nIncrease Organizational Vigilance\r\nRegularly review reporting on this threat. Consider signing up for CISA notifications to receive timely\r\ninformation on current security issues, vulnerabilities, and high-impact activity.\r\nResources\r\nFor more information on Russian state-sponsored malicious cyber activity, refer to cisa.gov/Russia.\r\nRefer to CISA Analysis Report Strengthening Security Configurations to Defend Against Attackers\r\nTargeting Cloud Services for steps for guidance on strengthening your organizations cloud security\r\npractices.\r\nLeaders of small businesses and small and local government agencies should see CISA’s Cyber Essentials\r\nfor guidance on developing an actionable understanding of implementing organizational cybersecurity\r\npractices.\r\nCritical infrastructure owners and operators with OT/ICS networks, should review the following resources\r\nfor additional information:\r\nNSA and CISA joint CSA NSA and CISA Recommend Immediate Actions to Reduce Exposure\r\nAcross Operational Technologies and Control Systems\r\nCISA factsheet Rising Ransomware Threat to Operational Technology Assets for additional\r\nrecommendations.\r\nRewards for Justice Program\r\nIf you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact\r\nthe Department of State’s Rewards for Justice Program. You may be eligible for a reward of up to $10 million,\r\nwhich DOS is offering for information leading to the identification or location of any person who, while acting\r\nunder the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical\r\ninfrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact +1-202-702-7843 on\r\nWhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located\r\non the Dark Web. For more details refer to rewardsforjustice.net/malicious_cyber_activity.\r\nCaveats\r\nThe information you have accessed or received is being provided “as is” for informational purposes only. CISA,\r\nthe FBI, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nPage 10 of 11\n\nreference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or\r\notherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or NSA.\r\nReferences\r\n[1] Joint NCSC-CISA UK Advisory: Further TTPs Associated with SVR Cyber Actors\r\nRevisions\r\nJanuary 11, 2022: Initial Version|January 25, 2022: Updated broken link|February 28, 2022: Updated broken link\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-011a\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-011a" ], "report_names": [ "aa22-011a" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434728, "ts_updated_at": 1775792236, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8d1ccc92afabfad274d33d9050f569ad6a8d0e64.pdf", "text": "https://archive.orkl.eu/8d1ccc92afabfad274d33d9050f569ad6a8d0e64.txt", "img": "https://archive.orkl.eu/8d1ccc92afabfad274d33d9050f569ad6a8d0e64.jpg" } }