Russia-Linked Threat Actors Continue to Target Critical Infrastructure

Russia-Linked Threat Actors

In the relentless landscape of cyber warfare, the prowess of Russia-linked Advanced Persistent Threat (APT) groups continues to evolve, posing a significant threat to Operational Technology (OT) globally. The latest report from the ReliaQuest Threat Research Team offers a critical examination of these threats, analyzing key cyber attacks over the past year and providing crucial insights into the tactics, techniques, and procedures (TTPs) employed by Russian actors.

Russia, recognized for its robust offensive cyber capabilities and aggressive domestic surveillance policies, has increasingly directed its attention towards economic dominance, reclaiming influence over former Soviet states, and establishing strategic global partnerships. Several high-profile Russian APT groups, under state sponsorship, engage in espionage aimed at acquiring valuable intelligence that serves national interests.

The report highlights an unsettling trend: the potential for Russian-speaking, financially motivated cybercriminal groups to target OT systems under state directives, masquerading these operations as ransomware attacks. This tactic not only disrupts operations but also enables long-term stealth espionage.

The analysis draws from several incidents, including:

  1. Denmark’s Energy Sector Attacks: In May 2023, multiple Danish energy companies faced coordinated cyber attacks exploiting a critical vulnerability (CVE-2023-28771) in Zyxel firewalls. Linked with low confidence to Russia’s GRU-affiliated Sandworm Team, these attacks disrupted operations but were thwarted before causing critical damage.
  2. Kyivstar Compromise: Ukraine’s largest telecom provider, Kyivstar, was compromised by a group linked to Sandworm, leading to extensive service disruptions. This incident underscores the strategic targeting of infrastructure that indirectly supports military operations.
  3. Exploitation of JetBrains Flaw: In a sophisticated supply-chain attack, Russia’s SVR-linked APT group “APT29” exploited a vulnerability (CVE-2023-42793) in JetBrains TeamCity, affecting multiple organizations, including those in the manufacturing sector. This incident highlights the risk of third-party software vulnerabilities being used to pivot to OT environments.
  4. The 2022 Ukrainian Power Grid Hack: This attack, attributed to Sandworm, involved advanced techniques to disrupt Ukraine’s power grid, demonstrating Russia’s capability to combine cyber operations with physical military actions for heightened impact.
  5. Ransomware Hits UK Water Supplier: In January 2024, the UK water services company Southern Water, which provides water and wastewater services to millions in the South of England, was hit by a ransomware attack. The Russian-speaking ransomware group Black Basta claimed responsibility, stating they had stolen 750GB of data. While the attack did not disrupt Southern Water’s operations, sensitive information was likely compromised. Although there is no evidence to suggest that Black Basta acted on behalf of the Russian government, the possibility of information sharing with the state cannot be ruled out, given Russia’s history of utilizing cybercriminal groups for its purposes.

The threat posed by Russia-linked groups to operational technology is real and growing. Organizations operating OT environments must take proactive steps to defend against these sophisticated threats. By understanding the evolving tactics and techniques used by these groups and implementing robust security measures, we can mitigate the risk of disruption and protect critical infrastructure from cyberattacks.