April 20, 2022
CSE’s Canadian Centre for Cyber Security joined cyber security partners from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC-UK), New Zealand’s National Cyber Security Centre (NCSC-NZ) and the Computer Emergency Response Team New Zealand (CERT NZ), to assess that there is an increased risk to critical infrastructure organizations globally from Russian state-sponsored advanced persistent threat (APT) actors, their proxies, and independent cybercriminal groups. These actors and criminal groups may conduct cyber operations, such as deploying ransomware or distributed denial of service (DDoS ) attacks, against U.S., Australian, Canadian, New Zealand, or UK organizations to disrupt or harm critical industrial control system (ICS)/operational technology (OT) functions.
This joint Cybersecurity Advisory (CSA) provides an overview of operations by these APT and criminal groups to help the cybersecurity community reduce the risk presented by these threats. It also provides recommended mitigations, including:
- Create, maintain, and exercise a cyber incident response and continuity of operations plan. Ensure the cyber incident response plan contains a ransomware-specific annex.
- Maintain offline (i.e., physically disconnected) backups of data. Backup procedures should be conducted on a frequent, regular basis. Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
- For OT assets/networks, identify a resilience plan that addresses how to operate if you lose access to—or control of—the IT and/or OT environment.