DHS warns critical infrastructure orgs, local governments of potential for Russian cyberattack

The Department of Homeland Security (DHS) sent out a bulletin on Sunday to critical infrastructure operators and local governments warning of the potential for cyberattacks launched by the Russian government in response to any US involvement in a potential war in Ukraine. 

First reported by CNN, the notice said Russia “maintains a range of offensive cyber tools that it could employ against US networks –from low-level denials-of-service to destructive attacks targeting critical infrastructure.” DHS made sure to note that a Russian attack on critical infrastructure is not likely because their “threshold for conducting disruptive or destructive cyber attacks in the Homeland probably remains very high.”

“We assess that Russia would consider initiating a cyber attack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security,” the bulletin said, according to ABC News.

DHS added that it has not seen Russia launch cyberattacks against US critical infrastructure, “notwithstanding cyber espionage and potential prepositioning operations in the past.”

DHS sent the memo to state governments, local governments and operators of critical infrastructure. A DHS spokesperson would not discuss the memo specifically but told ZDNet they regularly share information “with federal, state, local, tribal, and territorial officials and the private sector to ensure the safety and security of all communities across the country.” 

“We have increased operational partnerships between private sector companies and the federal government to strengthen our nation’s cyber defenses, including through CISA’s newly established Joint Cyber Defense Collaborative (JCDC). The JCDC brings these partners together to help us understand the full threat landscape and enable real-time collaboration to empower our private sector partners to gain information and take action against the most significant threats to the nation,” a DHS spokesperson said.

CNN reported that in addition to the DHS memo, multiple government agencies have been in contact with private sector companies and organizations to issue similar warnings. The Cybersecurity and Infrastructure Security Agency (CISA) has published multiple advisories this year similarly warning of a Russian cyberattack following multiple incidents in Ukraine over the last two weeks.  

CISA, which referred all questions about the most recent memo to DHS, released an alert on January 11 detailing a variety of tactics used by Russian state-sponsored groups to attack local and tribal governments across the US between September 2020 and December 2020. 

The alert said Russian state-sponsored actors have targeted a variety of the US and international critical infrastructure organizations over the years and made specific references to previously reported attacks by Russian groups on critical infrastructure in Ukraine. A US Homeland Security report from 2016 said 225,000 customers were left without power two days before Christmas because of the Russian attack on three regional electric power distribution companies. 

CISA then followed up that alert with another warning last week urging all US organizations to shore up defenses “now” in response to website defacements and destructive malware targeting Ukraine government websites and IT systems.

The government agency recommended that organizations implement multi-factor authentication for remote systems, disable ports and access points that are not business-critical, and put strong controls in place for cloud services. 

Late last week, US President Joe Biden threatened reciprocal cyberattacks against Russia if it continued to attack Ukrainian systems. 

Kevin Breen, director of cyber threat research at Immersive Labs, said the attacks last year on Colonial Pipeline and food manufacturer JBS were proof that cyberattacks could cause significant damage to everyday life. 

“We’ve seen notable ransomware groups operating out of that region, including REvil and DarkSide, with the technical ability to compromise large networks rapidly and at great scale. It would be wrong to assume that the nation state housing such criminal elements doesn’t have a matching capability,” Breen said. 

“An attack of significant magnitude, including a deliberate attack on US critical infrastructure, would almost certainly have wider geopolitical consequences. With this new bulletin, the Department of Homeland Security is working on the basis that to be forewarned is to be forearmed — and preparation is key. In this fast-paced world of constant cyberattacks and zero-day exploits, it’s always better to err on the side of caution. It’s better to assume you are a target and have strategic plans in place to match that of the adversaries’ capabilities.”