Cyber attacks on critical information infrastructure

Security of critical information infrastructure of the Russian Federation

Main article: Security of critical information infrastructure of the Russian Federation

2024

FSTEC will oblige government agencies, banks and enterprises of the fuel and energy complex to store information about cyber attacks for 3 years

In early August 2024, it became known that the Federal Service for Technical and Export Control of the Russian Federation (FSTEC) has developed new requirements for the protection of information in government agencies and organizations related to critical information infrastructure (CII ). We are talking about banks, enterprises of the fuel and energy complex (fuel and energy complex), etc.

According to the Kommersant newspaper, the FSTEC document provides for a change in the requirements for the safe storage of data that do not constitute a state secret in government agencies and at KII facilities. Such organizations will need to implement antivirus protection of IT systems, ensure the prevention of intrusions into the infrastructure and control the protection of information in general. In addition, information systems of CII facilities must have the resources necessary to pass traffic twice the volume of conventional indicators.

𝓲

Unsplash

In the event of a cyber threat, the participants of the market in question need to interact with the state system for detecting computer attacks, as well as with the hosting provider or organization providing communication services. Security threats in the document mean cyber attacks based on the DDoS model.

The new rules also suggest that organizations will have to store information about cyber incidents for three years. Such information should include the date and time when the attack began and ended, the type of threat, its intensity (Gbps), the list of network addresses that are the source of threats, and the protection measures that have been taken.

The general director of the hosting provider RUVDSNikita Tsaplin believes that the proposed measures are necessary for the market, since DDoS attacks have become a regular phenomenon. However, the implementation of the requirements can lead to additional costs for companies due to the need to upgrade hardware and software systems.^[1]

FSTEC named 6 main reasons for successful cyber attacks on enterprises and government agencies

In mid-February 2024, the Federal Service for Technical and Export Control (FSTEC) listed four main reasons for successful hacker attacks on enterprises and government agencies:

• weak user and administrator passwords;
• univariate identification;
• Using default passwords
• active accounts of dismissed employees;
• use of employees' personal devices to access the information infrastructure;
• use of personal messengers and social networks at workplaces.

The results of the analysis of computer incidents, which, unfortunately, we have had over the past two years, made it possible to form a rating of the main shortcomings, which very often become prerequisites for the successful implementation of computer attacks, - said Sergey Bondarenko, head of the FSTEC department, speaking about the reasons why IT systems of companies and government agencies are most often hacked.

𝓲

Pexels

According to Bondarenko, in order to create reliable cyber protection at enterprises and government agencies, it is necessary to inventory information resources, install antivirus programs, protect the perimeter of the information infrastructure and control mail attachments for malicious software.

In mid-February 2024, Russian Deputy Head of the Ministry of Digital Development Alexander Shoitov said that attacks on critical information infrastructure and state systems of the Russian Federation, including banks, had become more complicated. Often hackers, hiding behind simple DDoS attacks, conduct several more to further negatively affect IT systems.

We don't even always see, "said Shoitov, speaking at one of the conferences on the topic of information security.[2]

2023

Increase in the number of cyber attacks on critical information infrastructure facilities in Russia by 16%

The number of cyber attacks on critical information infrastructure (CII) facilities in Russia in 2023 increased by 16% compared to 2022. This is evidenced by the data of the National Coordination Center for Computer Incidents (NCCCI), which became known in May 2024.

According to Kommersant, citing materials from the center, about a third of KII owner organizations have vulnerable resources in their infrastructure. The most common reason is the use of foreign software without technical support and updates.

𝓲

Unsplash

If we analyze the cases of compromise in closed sessions with the NCCC, it turns out that only a small part of the attacks on KII is associated with complex targeted computer attacks at the level of the ability of foreign special services, "says Pavel Boglay, head of the cybersecurity department of Kryptonit.

According to him, the largest number of attacks on CII objects occurs using DDoS attacks, the use of Trojan viruses, as well as when exploiting the human factor (identical passwords, sending important data through third-party instant messengers, etc.).

Experts of the information security company Solar note that the attackers have begun to carefully prepare for attacks, making them more targeted and complex. Also, hackers are actively using cyber intelligence and social engineering tools in the preparation and development of the attack, the group added.

According to a study by Angara Security specialists, about 40% of attacks on the IT infrastructure of departments and CII objects are associated with malicious software, phishing and DDoS attacks on network equipment, sites and servers.

The head of the InfoWatch ARMA product development department, Demid Balashov, stressed that the important conditions for ensuring cyber protection of the CII object are planning the most secure IT infrastructure, creating a defense architecture, applying the Secure-by-Design approach to minimize vulnerabilities and reducing the surface for attacks.^[3]

FSB detained a citizen of the Russian Federation who entered the cyber intelligence of Ukraine to attack the Russian KII

FSB officers of the Russian Federation detained in the city of Belovo, Kemerovo Oblast, a Russian citizen who conducted illegal activities against the security of the Russian Federation. The detainee was charged with committing a crime under Art. 275 of the Criminal Code of Russia (high treason in the form of providing other assistance to a foreign organization), a preventive measure was chosen in the form of detention. Information about this was published on the official website of the FSB in a message dated October 31, 2023.

𝓲

Operational shooting of the FSB of Russia

It was established that the detainee, with Internetmessenger the Ukrainian Ukraine computer attacks the help of, entered into a cyber unit operating in the interests of the intelligence services, which included using malicious software information resources from Russia, which led to a violation of the operability of the facilities. country's critical infrastructure

𝓲

Operational shooting of the FSB of Russia

According to the FSB, investigative actions and operational-search measures were carried out in the addresses of residence and work of the defendant in the criminal case, as well as his connections, during which computer equipment and communications were seized, data were obtained confirming his anti-Russian activities.^[4]

Details of cyber attacks on Russian defense industry enterprises through Microsoft Office revealed

Positive Technologies experts Denis Kuvshinov and Maxim Andreev, with the participation of the Incident response and Threat intelligence PT Expert Security Center teams, prepared a detailed report with an analysis of the Trojan program they called MataDoor. The Trojan was previously spotted in Malwarebytes and Kaspersky Lab reports, where it was named MATAv5 and attributed as part of the activities of the Lazarus hacker group. Positive Technologies experts received a test sample at one of the defense industry enterprises in the fall of 2022.

Presumably, experts associate the initial vector of malware penetration into the enterprise infrastructure with the exploitation of a vulnerability in the Microsoft Internet Explorer component number CVE-2021-40444. Unfortunately, the same component is used in Microsoft Office office applications, which allows you to make an exploit that will start downloading and executing malicious code on the victim's machine. For a successful attack, the victim needs to download the document in DOCX format and open it for editing in Microsoft Office.

MataDoor can be used to steal valuable, classified or personal information, as well as to implement listening, tracking components and logic bombs

Letters containing documents with exploits for the CVE-2021-40444 vulnerability were sent according to researchers to Russian enterprises of the military-industrial complex in August-September 2022. Some of them related in content to the field of activity of the attacked enterprises, some were compiled in such a way as to simply attract the attention of the addressee. However, earlier - in September 2021 - Malwarebytes recorded and investigated similar mailings, but with a different exploit.

Letters with a vulnerability exploit should CVE-2021-40444 prompt the user to activate the document editing mode, which is a prerequisite for working it out. These letters used a specific design of the text, which was supposed to encourage the user to turn on the editing mode and change the font color to a more contrasting one. When editing mode is enabled, malicious code is downloaded and executed from the resource controlled by the attackers. Therefore, if your employees received and viewed letters with non-contrast or other inconvenient design, then it is worth examining your infrastructure using the compromise indicators that the researchers published in the report.

It should be noted that MataDoor is focused on long-term hidden functioning in a compromised system. Its files are named after names similar to legal software installed on infected devices. In addition, a number of samples had a valid digital signature. Also, the identified executables and libraries were processed with a Themida protector to complicate their analysis and detection.

The malware itself is a modular Trojan, which consists of a kernel (orchestrator) and modules (plugins), which just provide all the black work of the malware, depending on which computer it is installed on. MataDoor also provided infrastructure for its modules to transfer data to the control server and asynchronously execute commands loaded from it. Thus, MataDoor can be used both to steal valuable, secret or personal information, and to introduce listening, tracking components and logic bombs. The damage caused by the detected malware and its brothers is still difficult to assess - in each individual case, a thorough investigation must be carried out.

The FSB Cyber ​ ​ Security Center records the growth of cyber attacks through IT contractors. What is recommended to do

Cyber ​ ​ attacks on the information systems of government agencies and subjects of critical information infrastructure (CII) through the supply chain, through the IT infrastructure of contractors in the National Coordination Center for Computer Incidents (NCCC), subordinate to the FSB, are called one of the key trends in 2023.

NKCKI expert Andrei Rayevsky, speaking at an international conference on information security on June 6, explained that often the IT contractor develops and submits a project, but he still has administrator rights for author supervision or further support of the system. And there is a tendency to penetrate the infrastructure of government agencies and KII entities through the administrative rights of the IT contractor.

At the same time, at the legislative level, there are no requirements in the field of information security for the information systems of such contractors. According to the expert, the NKCKI is thinking about providing for requirements at the legislative level, first of all, for IT contractors performing work for government agencies and KII entities.

From the presentation of Andrei Rayevsky

NCCC, for its part, recommends that customers, within the framework of technical assignments for IT projects, prescribe requirements for the information security of contractors' IT resources. And some serious organizations are already doing this, notes Andrei Rayevsky.

In addition, NCCCA recommends limiting the number of privileged users from among contractors who are assigned to their systems.

There are domestic developments in the market in the field of privileged access tools. Their use becomes very relevant. NKCKI believes that it is worth taking a closer look at these developments.

It is also necessary to monitor the appearance of information about leaks and computer incidents in contractors, and in the event of such leaks in relation to their information resources, it is necessary to ask developers to respond and investigate the causes of leaks.

The number of cyber attacks through contractors has grown 2 times. National Center for Computer Incidents - on the main trends of 2022

The National Coordination Center for Computer Incidents (NCCCA) states that the situation in the Russian information space in 2022 was significantly influenced by the conduct of the SVO in Ukraine. An "unprecedented in scale" cyber campaign was launched against Russia, the main goals of which are to disable the information infrastructure and unauthorized access to the IT systems of organizations and enterprises of various sectors of the critical information infrastructure of the Russian Federation. At an industry event on February 7, NKCKI Deputy Director Nikolai Murashov summed up key trends in the field of cyber threats for 2022.

The number of computer attacks on objects of the Russian information infrastructure in 2022 increased significantly. At the same time, there is an increase in the speed of implementation of threats: from the moment information about threats appears - for example, the publication of information about vulnerabilities - it sometimes takes only a few hours to practical implementation.

Increasing the availability of hacker tools: specialized resources regularly publish the source codes of attack software, as well as detailed information about computer incidents for their further analysis.

In 2022, a cyber campaign "unprecedented in scale" was launched against Russia, the NCCC notes.

There are "politicized unfriendly actions" of the international cyber community. Thus, the international community for responding to cyber threats FIRST (Forum of Incident Response and Security Teams) has stopped working with Russian computer incident response centers. This decision confirms the concern expressed earlier by the NCCCA about the declarative nature of the approach of some countries to solving the problem of creating a peaceful, stable and secure ICT environment, Nikolai Murashov believes.

In 2022, the number of attacks through the supplier chain increased: these are integrators, security manufacturers, service providers and other business partners. The number of attacks through contractors over the year increased by 2 times, according to the information available to the NCCCA. Having gained access to the contractor's infrastructure, the attackers find themselves inside the target system.

In 2022, massive attacks on root DNS servers, disconnecting providers from large trunk channels, embedding malware in widely used elements of web pages, and the appearance of malicious code in software updates - both freely distributed and commercial - were recorded.

A feature of DDos attacks in recent months has been a truly large number of their participants. As soon as possible, Telegram channels were formed, in which ordinary people were agitated, participants were instructed, target designation was coordinated, and elements of attacks were distributed.

At the same time, a large amount of DDoS attacks was a cover for more serious impacts. Many computer attacks were aimed at stealing information from the systems of organizations and disabling technological processes.

One of the trends was attacks using ransomware to obtain a ransom. As targets, attackers chose solvent organizations in which data encryption could disrupt the functioning of the main business processes. Therefore, they showed interest in large companies, including industrial enterprises.

Attackers pay great attention to attacks that can have significant public resonance, many data leaks are published. At the same time, according to the NKCKI, in pursuit of information feed and public resonance, attackers often give information from previously leaked leaks as new ones, make compilations from data obtained from public sources. It is not uncommon for small organizations to be hacked for leaking from key government systems or critical information infrastructure facilities. This raises the alleged significance of the event, says Nikolai Murashov.

Separately, the NCCCI notes threats associated with a possible violation of information protection tools. Termination of their support by manufacturers, mass revocation of certificates and other restrictions can have a negative impact on the functioning of the Russian segment of the Internet.

To increase the effectiveness of countering the aggravated threats to information security, it is necessary to activate and consolidate the forces and technical means of the subjects of the critical information infrastructure, Nikolai Murashov noted.

NCCCA also cited statistics on connections to the State system of detection, prevention and elimination of consequences of computer attacks system: 1,277 new participants joined it, and their total number now exceeds 3.5 thousand.

2022

The number of cyber attacks on the Russian public sector has grown several times

In 2022, the number of attacks on the Russian public sector approximately doubled or tripled compared to a year ago. About this "Vedomosti" told an analyst of the data of the cybersecurity monitoring center IZ: SOC of the company "Informzaschita" Shamil Chich (the publication was published on January 16, 2023). Read more here.

Almost half of Russian departments were subjected to cyber attacks

In the 12-month period, which ended in June 2022, almost half (46.6%) of Russian departments faced cyber attacks. Moreover, in 15% of cases, hacker attacks were repeated. This is stated in the study of the Center for Training Leaders and Teams of Digital Transformation of the RANEPA, published in mid-September 2022.

According to the report, excerpts from which Vedomosti cites, 69.6% of attacks on government agencies were carried out using viruses and ransomware, which mainly penetrate through corporate mail or malicious sites. 51.1% of respondents called DoS and DDoS attacks, 46.7% called phishing attacks, 38% called attacks on the corporate network and password hacking, 30.4% called data leakage and unauthorized access.

Almost half (46.6%) of Russian departments faced cyber attacks

The main targets of offenders in 73.9% of cases were sites and web applications of departments. This percentage is explained by the fact that at present most employees and customers interact through digital services.

Only 31.9% of state organizations were not subjected to cyber attacks. One in five organizations found it difficult to answer this question.

The survey involved 302 civil servants of various levels from 75 regions and all federal districts. These were respondents with different official status - from digital transformation leaders and senior managers to ordinary employees. The center clarified that the survey participants were segmented by the level of IT competencies and a number of questions were asked only to specialized specialists (92 people).

According to Luka Safonov, technical director of Sinclit JSC, the percentage of attacks on the Russian public sector is much higher.

I think about 90% of Russian departments and structures have recently been attacked by both schoolchildren opposed to Russia and foreign hackers, Safonov said in mid-September 2022. He added that about 10% of the attacks could have been successful.[5]

Chinese hackers attacked Russian defense enterprises

Chinese-language cyber group attacks defense enterprises state agencies and in, Russia countries Eastern and. Europe This was announced Afghanistan on August 8, 2022 by "."Kaspersky Lab

In total, during the investigation, experts revealed attacks on more than a dozen organizations. Presumably, the target of the attackers was cyber espionage. Experts suggest that the identified series of attacks may be related to the activities of the Chinese-speaking cyber group TA 428. It used new modifications of previously known backdoors.

In some cases, the attackers managed to completely seize the IT infrastructure. To do this, they used well-prepared phishing emails. They contained internal information that was not available in public sources at the time of its use by cybercriminals, including F.I.O. employees working with confidential information, and internal code names of projects. Microsoft Word documents with malicious code exploiting the CVE-2017-11882 vulnerability were attached to phishing emails. It allows the malware to gain control of the infected system without additional actions from the user, the user is not even required to enable macro execution.

As the main tool for developing the attack, attackers used the Ladon utility with the ability to scan the network, search and exploit vulnerabilities, and steal passwords. At the final stage, they seized the domain controller and then gained full control over the workstations and servers of interest to the attackers of the organization. Having received the necessary rights, the attackers proceeded to search and download files containing confidential data to their servers deployed in different countries. These same servers were used to control malware.

Targeted phishing remains one of the most pressing threats to industrial enterprises and government agencies. The series of attacks we discovered is not the first, apparently, in a malicious campaign. Since attackers are successful, we assume that such attacks could happen again in the future. Enterprises and state organizations need to be on the lookout and carry out appropriate work to prepare for repelling complex targeted threats, "said Vyacheslav Kopeitsev, senior expert at Kaspersky ICS CERT.

APT31 cyber group attacks Russian fuel and energy complex and media

In April 2022, PT Expert Security Center specialists from Positive Technologies identified an attack on a number of Russian organizations (media and energy companies) using a malicious document during daily threat monitoring. Representatives of Positive Technologies reported this to TAdviser on August 4, 2022. Read more here.

Presidential administration: 90% of Russia's public sector infrastructure was subjected to cyber attacks

Since the start of the Russian special operation in Ukraine (June 24, 2022), about 90% of the infrastructure of the public sector of the Russian Federation has faced cyber attacks to one degree or another. This was announced on June 16, 2022 by the head of the department of the Presidential Administration of the Russian Federation for the development of information and communication technologies and communication infrastructure Tatyana Matveeva. Read more here.

Cyber ​ ​ group, attacking the public sector, electricity and aerospace industry in Russia discovered

On May 17, 2022, the company Positive Technologies announced that its expert center (safety PT Expert Security Center, PT ESC) had discovered another cybercriminal grouping. Russia malefactors attacked In at least five organizations, in - Georgia one, and the exact number of victims in is still Mongolia unknown. Among the goals attacking identified by Positive Technologies specialists state institutions are enterprises from aviation space and industries electrical power. More. here

Positive Technologies: government agencies are the worst protected from cyber attacks

In Russia, state bodies are worst protected from hacker attacks, according to Positive Technologies, a company specializing in information security technologies. Experts made the corresponding statement in mid-April 2022.

Federal ministries and departments show the least degree of readiness for cyber attacks. Officials are now forced to live in the paradigm of the past time - said Maxim Filippov, director of business development at Positive Technologies in Russia.

In Russia, government agencies are the worst protected from hacker attacks, according to Positive Technologies, a company specializing in information security technologies.

According to him, the procurement procedures are defined 44-FZ, 223-FZ. In order to purchase some kind of means of protection, which by April 2022 has become more relevant than ever, or to allow experts to their facilities to conduct a retrospective investigation or reconfiguration of means of protection, they need to go through a large number of difficult procedures. They do not have time to respond, and the dynamics and types of attacks change every minute. If you do not quickly detect and respond, then there will be nothing to protect, Filippov said.

He also pointed out that state structures and companies with state participation are opponents of information exchange with experts about past cyber attacks.

Government agencies are afraid of publicizing these incidents even in the circle of expert companies. This is not at all clear to me personally. In the current environment, collaboration with experts who are focused on ensuring the security of infrastructure in cyberspace, they need as air, he added.

Positive Technologies Business Development Director cited data according to which the activity on cyber attacks on companies and government agencies in the Russian Federation from late February to mid-April 2022 increased 100 times, while banks were most prepared for cyber attacks, and least of all - federal departments and companies with state participation.^[6]

2021

More than 90% of attacks by highly professional groups are directed at critical infrastructure facilities

The vast majority (92%) of cyber attacks committed by highly professional attackers in 2021 were aimed at critical information infrastructure (CII) facilities. Most often, the attention of highly qualified hackers - cyber recruits and pro-government groups - was attracted by state organizations, power enterprises, industry and the military-industrial complex. Such figures were announced on December 7, 2021 by the vice-president of Rostelecom for cybersecurity, the general director of Rostelecom-Solar Igor Lyapunov.

In total, according to a study by Rostelecom-Solar, in 2021, over 300 attacks carried out by professional attackers were recorded, which is one third higher than in 2020. Most of the attacks were carried out by groups with an average qualification - cyber crime. Such hackers use customized tools, available HPE and vulnerabilities, social engineering, and their main goal is to directly monetize an attack using encryption, mining or cash withdrawal.

Highly professional groups accounted for 18% of the attacks committed during the reporting period. Such cybercriminals use complex tools: self-written software, 0-day vulnerabilities, previously implemented "bookmarks." As a rule, they are aimed at custom work, cyber espionage, hacktivism, complete seizure of infrastructure, and their victims are large businesses and CII facilities.

Such attacks are almost always targeted, so at first attackers carefully study the attacked organization. Moreover, cyber recruits and pro-government groups conduct reconnaissance not only against the victim's IT perimeter, but also against its contractors, "said Vladimir Dryukov, director of the Solar JSOC Cyber ​ ​ Attack Center at Rostelecom-Solar. - These groups are well acquainted with the logic of the basic means of information protection, which allows them to remain unnoticed for a long time. And the damage from their actions can amount to hundreds of millions of rubles. If we are talking about CII, then there are also risks associated with the impact on the country's economy as a whole, the security of citizens and the political situation.

The key techniques used by professional hackers to hack the perimeter have changed slightly over the year. Phishing still occupies a leading position among medium-level attackers (60% of attacks), which is explained by its cheapness and mass.

In 50% of attacks, highly qualified hackers exploit web vulnerabilities. This is due to the fact that web applications of CII objects and state authorities (for example, corporate portals or web mail) are still poorly protected and have a huge number of errors. In addition, highly professional attackers more often than cybercriminal resort to attacks through a contractor, an increase in the number of which has been observed for several years. Phishing, on the contrary, is used by them only in 2% of cases. The most popular hacking techniques in 2021 also added exploitation of vulnerabilities in MS Exchange, which were published at the end of 2020.

As a year earlier, cybercriminals most often used startup mechanisms and system services to secure inside the network. And for the development of the overwhelming number of attacks - remote services RDP, SMB, SSH. In particular, this is due to the massive transition to remote operation: companies have begun to actively use these protocols, which allow organizing remote access to files and devices.

Hacker group attacking Russian fuel and energy complex and aviation industry discovered

At the end of September 2021, it became known about the appearance of a new hacker group ChamelGang, which was seen in attacks on critical information infrastructure, including in Russia. Read more here.

The number of cyber attacks on critical infrastructure of the Russian Federation increased by 150%

The number of cyber attacks on critical infrastructure of the Russian Federation increased by 150%. This became known on July 12, 2021.

In 2020, the figure also increased, but by only 40%. Ransomware mainly attacked the educational and scientific spheres, as well as the industry. They accounted for 30% of the total number of attacks.

The Russian company Group-IB has calculated that 40% of all attacks are carried out by "classic" cybercriminals. But the remaining 60% are accounted for by pro-government agencies of other states.

Industrial companies are attacked by ransomware in most cases. It turns out that every large company is a potential victim for cybercriminals. And the amount of buybacks is increasing.

Experts predict that the number of cyber attacks in the future will only increase, and the amounts requested by fraudsters will grow^[7]

Cyber ​ ​ attacks through contractors hit banks and enterprises of the fuel and energy complex in Russia

At the end of March 2021, a service for protecting information assets Rostelecom-Solar published a study in which it reported a twofold increase in the number of attacks on objects critical information infrastructure (:, CUES banks enterprises ENERGY INDUSTRY , etc.) by penetrating through the contractor's infrastructure (supply chain method) in 2020. cyber attacks Solar JSOC The Rostelecom-Solar Monitoring and Response Center identified and reflected over 1.9 million, which is attacks 73% more than in 2019.

According to experts, hacking a contractor has become the most effective method for penetrating infrastructure targeted for cybercriminals, including, as a rule, the largest federal public sector organizations and KII facilities. This is also confirmed by international experience. At the end of 2020, it became known about the hacking of the developer company, ON SolarWinds as a result of which such clients as,, Microsoft Cisco FireEye as well as several key ministries and departments suffered. USA Solar JSOC records similar attempts at attacks on authorities and objects. Russia

"Rostelecom-Solar" recorded a twofold increase in attacks on KII through contractors' infrastructures

The active use of the supply chain method is associated with an increase in the number of more complex targeted attacks. In addition, organizations are increasingly outsourcing part of their internal processes, but they rarely monitor their own infrastructure and practically do not control the connection points of third-party companies to their network. As a result, the problem can remain out of focus for a long time. This is what led to the growth of such attacks in 2020.

Rostelecom The company "-Solar" noted that the growing popularity of the supply chain method indicates not just a change in the technical specifics of attacks, but the emergence of a new key threat cyber security at the state level. However, there is no clear solution to how to minimize risks yet. Even a contractor certified by the regulator for compliance with information security standards can be successfully attacked by attackers. At the same time, the customer company does not have the ability to directly control the level of information security protection of the outsourcer, experts added.

Obviously, advanced ART groups will increasingly use the supply chain technique, so the information security community needs to develop a fundamental approach to solving the problem as soon as possible, - said Vladimir Dryukov, director of the Solar JSOC cyber attack monitoring and response center at Rostelecom-Solar.

Also, for the first time since 2017, Solar JSOC experts record an increase in violations committed by internal users - ordinary employees of companies. More than half (53%) of internal incidents were related to: information leaks by switching to, remote operation mode employees began to commit violations, including theft and draining, data which they would not dare to do in the office. In addition, pandemic it has led to an increase in violations regarding access to. Internet It is not only about visiting suspicious sites from a worker. computer Remote workers could also gain illegitimate access to the company's closed resources, since it is VPN difficult to correctly segment the corporate network on the basis.

The most common tool for external attackers has become malware, and the main way to deliver it to the victim's infrastructure is phishing emails, most of which have speculated on the topic of COVID-19. At the same time, there is a significant increase (by a third) in the number of attacks using ransomware: during the period of mass "remote control," when many companies have weakened information security, this already simple method of monetization has become even more popular.

In 2020, the number of attacks aimed at gaining control over infrastructure increased by 30%, while the number of attacks aimed at stealing funds increased slightly (by less than 10%). This indicates a significant increase in the qualifications of attackers and the complication of their tools.

2020 Report on Attacks and Tools of Professional Groups

2020

120 thousand cyber attacks were committed on the IT systems of government agencies, banks and the fuel and energy complex of Russia

More than 120 thousand hacker attacks were committed on the critical information infrastructure of Russia (this includes the IT systems of government agencies, banks, the fuel and energy complex, etc.) in 2020 . This figure was announced on June 24, 2021 by the Secretary of the Security Council of the Russian Federation, Army General Nikolai Patrushev.

According to him, cyberspace is increasingly becoming the scene of the fight against "geopolitical opponents," and Russia is regularly subjected to computer attacks.

Nikolai Patrushev: 120 thousand cyber attacks were carried out on the IT systems of government agencies, banks and the fuel and energy complex of Russia in a year

Most of them were carried out from the United States, Germany and the Netherlands, and were directed against the objects of public administration, the military-industrial complex, health care, transport, science and education of our country, he said.

As the Secretary of the Security Council noted, Russia advocates non-politicized cooperation between countries to create a global cybersecurity system.

Russia advocates the development of international cooperation in the interests of the formation of a global international legal regime that ensures the safe and equal use of information and communication technologies, he stressed in an interview with Rossiyskaya Gazeta.

On June 24, 2021, Group-IB cited data according to which three times as many attacks on critical infrastructure objects were registered in Russia in the first half of 2020 than in the entire 2019. 40% of attacks on KII facilities in Russia were committed by cyber crime, 60% - by pro-state attackers.

Nikita Kislitsin, head of the Network Security Department of Group-IB, noted that about 8 out of 10 Russian industrial enterprises have problems with servicing the IT infrastructure.

According to experts, problems with servicing the IT infrastructure of organizations are caused by a lack of resources, outdated software and often an unfinished patch management process.^[8]

An increase in the number of cyber attacks on authorities by 2 times - FSB information security center

More than half (58%) of cyber attacks in Russia in 2020 fell on state authorities, while in 2019 this share was 27%. Such data at the end of April 2021 were cited by the Deputy Director of the National Coordination Center for Computer Incidents (NCCCI; coordinates the detection, prevention and elimination of the consequences of computer attacks on critical information infrastructure in Russia and response to computer incidents) Nikolai Murashov.

An analysis of the data conducted by the NCCCA showed that if in 2019 the largest share of computer attacks was aimed at the credit and financial sector - 33%, then in 2020 - at the information resources of state authorities and industrial enterprises, Murashov said at an online briefing (quoted by RIA Novosti).

The share of cyber attacks on authorities in 2020 doubled

According to him, the share of hacker attacks on the IT systems of industrial enterprises in 2020 reached 38% against 18% a year earlier.

Earlier, Secretary of the Security Council of the Russian Federation Nikolai Patrushev said that the intensity of foreign intelligence in cyberspace has increased significantly against the background of the aggravation of the situation in the world, and the number of hacker attacks on Russian information resources in 2020 increased 1.6 times.

Patrushev noted the annual growth of hacker attacks on the IT resources of authorities and companies "in order to block them, gain access to protected data banks and covert management of information systems."

At the same time, the issue of exploiting vulnerabilities of software used in government agencies and organizations for intelligence purposes remains relevant. More than 30% of the identified vulnerabilities can be used remotely to conduct computer attacks on the information infrastructure, "said the Secretary of the Security Council of the Russian Federation.[9]

Kemerovo resident convicted of cyber attacks on KII RF

Kemerovo resident was convicted of cyber attacks on the KII of the Russian Federation. This became known on November 27, 2020. Read more here.

Preparations for a spy attack by a Chinese APT group on Russian fuel and energy complex enterprises discovered

On September 24, 2020, it became known that the developer of information security tools, Doctor Web, published a study of a phishing campaign that was aimed at Russian enterprises in the fuel and energy complex. The first wave was dated April 2020, the last manifestations of activity occurred in September 2020. Read more here.

2019: Hackers have been preparing attacks on the fuel and energy complex for years

Hackers have been preparing attacks on enterprises in the fuel and energy sector for years. This was announced on November 14, 2019 by Positive Technologies.

According to experts, professional cyber groups conducting targeted attacks do not destructively attack immediately after penetration. They can control all systems of the enterprise for several years without taking any destructive action, but only stealing important information and waiting for the right moment to launch an attack.

Hackers have been preparing attacks on enterprises in the fuel and energy sector for years, while stealing data from them

During the investigation of one of the incidents, experts discovered that the TaskMasters group, which was engaged in the theft of confidential documents and espionage, had been in the infrastructure of the victim company for at least 8 years.

Basically, hackers attack the fuel and energy complex in order to disrupt its production process or to steal corporate information and damage its reputation. Only one in three attacks is aimed at stealing funds, and most often companies are faced with information leaks or data substitution and destruction.

Cyber ​ ​ attacks of the fuel and energy complex with information leakage account for 30% of the total number of incidents. In 26% of cases, data is destroyed or exchanged. 25% of enterprises surveyed said that after the attacks, the company's infrastructure is idle.

According to Alexei Novikov, director of the Positive Technologies security expert center, it is very difficult to detect a targeted attack at the time of intruders entering the system. It is easier and more efficient to disclose the activity of a hacker after entering the infrastructure, for example, when it moves between servers already on the internal network.

Such movements certainly leave artifacts in network traffic and on the nodes themselves, this allows you to detect the previous penetration retrospectively and eliminate the threat before the attacker proceeds to active destructive actions or steals important information, Novikov said.[10]

2018: In 2018, about 4.3 billion cyber attacks were committed on the Russian Federation

According to the National Coordination Center for Computer Incidents, in 2018, more than 4.3 billion cyber attacks were carried out on critical infrastructures of the Russian Federation. This was announced in August 2019 by the Deputy Secretary of the Security Council of the Russian Federation Oleg Khramov in an interview with Rossiyskaya Gazeta.

According to Khramov, the number of cyber attacks over the past six years has grown by 57%. If for the period from 2014 to 2015, cases of coordinated targeted attacks amounted to about 1.5 thousand per year, then in 2018 their number exceeded 17 thousand. Attacks aimed at disabling equipment of critical infrastructure facilities pose a particular danger.

Since the beginning of 2019, the introduction of malicious software on more than 7 thousand objects of critical infrastructures has been prevented. The targets of the attackers' attacks were objects of the credit and financial sphere (38% of all attacks), government bodies (35%), the defense industry (7%), the field of science and education (7%) and the health sector (3%).

According to the American company Webroot, in 2018, the United States accounted for 63% of Internet resources that distribute malware, while the share of China and Russia is only 5% and 3%, respectively.

Notes