nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

russia

FBI Secretly Removing Malware

Late last week, Attorney General Merrick Garland announced that the FBI was removing malware from computer systems around the world in an attempt to thwart Russian cyber-attacks. In March, the White House warned that Russia could be targeting critical infrastructure in the United States. The malware that is being removed from systems by the FBI is reported to allow an arm of the Russian military called the GRU to take over machines and create botnets for DDoS attacks. The GRU is Russia’s largest foreign intelligence agency responsible for handling multiple forms of military intelligence.

The Justice Department says that this strain of malware is designed to compromise externally facing firewalls and loop them into a botnet called Cyclops Blink. The botnet is controlled by a notorious group called Sandworm that has been known to work with the GRU. The DOJ warned owners of infected devices that their machines were part of this Cyclops Blink botnet, but decided that it was not worth the wait and took it upon themselves to remove the malware from infected devices.

Through secret court orders, the Justice Department and FBI were able to quietly remove this malware from infected devices across the globe. After removing the malware, the FBI also closed the management port that was being used as the attack vector. The Biden administration has been ramping up their cyber security operations since the breakout of war in Ukraine. While Ukraine has been the number 1 target of cyber attacks over the last couple months, authorities warn that critical infrastructure organizations in the United States could be next.

Performing external penetration testing and having a formal external vulnerability management program can help to thwart attacks like this. By identifying these vulnerabilities and patching them before adversaries get their hands on them, you can protect your externally facing machines from becoming a part of a worldwide botnet.

DHS Warns Russian Cyber Attacks Are Likely

Threats Are on The Rise
As tensions rise on the border separating Russia and its south-west neighbor Ukraine, threats of cyber attacks have the Western World on edge. There have been nearly 500 documented cyber-attacks impacting the geopolitical landscape around the globe since 2009, with approximately 30% originating from Russia or China. History shows us that Russia has found success in launching cyber attacks against nations it feels “threaten their long-term national security.” On January 23rd, 2022, the Department of Homeland Security (DHS) released a memo stating “Russia maintains a range of offensive cyber tools that it could employ against US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure.”

History of Conflict
Since the 2014 annexation of Crimea by the Russian Federation, cyberattacks have been a recurring militaristic theme in this conflict. In December 2015, Russian hackers exploited vulnerabilities in three Ukrainian energy distribution companies, disrupting the electricity supply for over 230,000 Ukrainians. The complex cyberattacks followed a similar exploit path that we see utilized by adversaries to this day. Social engineering campaigns were followed by the seizing of Supervisory Control And Data Acquisition (SCADA) systems, resulting in denial of service attacks on call centers, the destruction and encryption of critical file servers, and the disablement of OT infrastructure components.

Current Conflict
In 2022, it seems that the Kremlin is more than ready to use the same cyber tactics that led to the successful annexation of Crimea in 2014. On January 15th, 2022 Microsoft reported that dozens of Ukrainian government agencies had fallen victim to a website defacement attack. The message on the affected websites read “be afraid and expect the worst.”

Russia is suspected of using similar tactics to launch “false-flag” operations that are intended to stir up domestic tension in Ukraine and/or cast blame on Ukraine for the conflict. U.S. and international information security teams are ramping up preparations for any possible scenario as diplomatic negotiations continue.

Preventative Measures
The continued discovery of critical vulnerabilities that affect internet-facing systems (see Log4j) requires organizations to conduct ongoing vulnerability scanning and penetration testing to ensure attackers can’t gain a foothold on internal networks. By incorporating internal security awareness training and table-top exercises, standard employees and information security teams can be prepared for any scenario. As a leading provider of cyber security services, nGuard is ready to discuss your organization’s needs and help implement protective measures.