A “who’s who” of U.S. critical infrastructure entities came close to getting breached by Russian state threat actors in the days before the February 2022 invasion of Ukraine, a top CISA threat hunting official told MITRE ATT&CKcon attendees in McLean, Virginia today.
CISA Threat Branch Chief Mark Singer relayed some of the details surrounding a late 2021-early 2022 breach of a managed service provider (MSP) “who provided some pretty critical services to critical infrastructure entities inside the United States.”
It was one of three incident response engagements that CISA was involved in during the months leading up to the Russian invasion of Ukraine, Singer said, but it was the only one he detailed in the talk.
CISA’s engagement in the MSP case appears to have begun in January 2022, a month before the Russian invasion, and several months after Russian threat actors had apparently first breached the MSP’s network in August 2021.
CISA investigators realized “pretty early on in the engagement there was a pretty severe compromise,” Singer said.
“It was getting more and more concerning as time goes on that the actors that we were addressing, that we were focused on, in that engagement had reached a portion of the service provider network where they were in a position to collect, tamper with, alter communications for the customer set,” Singer said. “The reason this was alarming to us was that customer set of that service provider was like a who’s who of critical infrastructure entities in the United States.”
The threat actors “had reached a place where the communications that they could spoof, alter, tamper, replay was all of the ICS data, Modbus protocol going to the actual operational technology of these companies,” he said.
An “aggressive containment response” successfully evicted the threat actors from the network, but as CISA responders didn’t know how much access they had gained, they took the unusual step of talking with all of the MSP’s customers. CISA also stayed on the network for four months to make sure everything was okay, another unusual step for the top U.S. cybersecurity agency.
A couple of months later, when Russia had pivoted its cyber focus exclusively back to Ukraine, CISA forensic investigators were going through logs from the incident and realized that the threat actors tried to use two compromised credentials to try to regain access to the MSP network up until two days before the February 2022 invasion.
“It’s a little bit unknowable exactly what they could have done,” Singer said. “I have my theories. But given the capabilities of that actor, given the reporting and the sort of risks that we were already concerned about, I’m really glad that they weren’t able to re-access that environment.
“It does make me a little bit queasy to this day that we made it by a week and we didn’t know it at the time. So quite an extraordinarily close call.”
Singer praised CERT-UA, Ukraine’s national Computer Emergency Response Team, for its help during the incident and since. CERT-UA “was doing and continues to do an amazing job with their work,” he said.
Also read: MITRE ATT&CK Coverage by Security Tools Is Inconsistent, Incomplete: Researchers
Singer also warned about the threat posed by the People’s Republic of China (PRC), which he suggested is potentially greater than that of Russia, with groups like Volt Typhoon burrowing into U.S. critical infrastructure in case of a major conflict with the U.S.
“The types of incidents that we’ve responded to, the types of intrusions that we’re seeing, this is getting more and more concerning as time goes on,” he said, calling the threat “a bigger risk” than Russia posed in the leadup to the Ukraine war.
China also has “said publicly that they want to have the capability to invade Taiwan by 2027,” Singer said, increasing the chances of a major conflict.
When asked by an audience member which threat groups are among the biggest concerns, he noted that Russian FSB-linked threat groups remain “very very active” and have “the ability to do the most damage.”
He recommended that attendees follow CERT-UA in translation to stay up on Russian threats.
He also said that ATT&CK “adds a lot of value as a common language” between government and organizational security officials. Singer also called for a greater measure of humility among cybersecurity pros, noting the importance of “being able to ask questions of each other and really support learning.”