In the tense days leading up to the February 2022 invasion of Ukraine, a concerning cybersecurity breach almost unfolded within the United States, targeting critical infrastructure entities by Russian state threat actors. Mark Singer, the Threat Branch Chief at CISA, revealed this close call during his presentation at MITRE ATT&CKcon in McLean, Virginia.
The breach in question took place within a managed service provider (MSP) that offered essential services to critical infrastructure entities across the U.S. The incident began to unravel in late 2021 and continued into early 2022, with CISA getting involved in January of that year. What set this particular breach apart was the level of compromise that had occurred within the MSP network, raising alarms within CISA.
Singer elaborated on the severity of the breach, highlighting how the threat actors had infiltrated the network to such an extent that they could intercept and manipulate communications meant for critical infrastructure entities. The potential ramifications of this access were significant, as the threat actors could tamper with ICS data and Modbus protocol crucial for operational technology.
While an “aggressive containment response” managed to expel the threat actors from the network, the uncertainty regarding the extent of their access prompted CISA to engage with all of the MSP’s customers. Additionally, CISA maintained a presence within the network for four months to ensure that no lingering threats remained—a proactive measure uncommon for the agency.
In a surprising twist, forensic investigators later discovered that the threat actors attempted to regain access to the MSP network mere days before the invasion of Ukraine in February 2022. The potential consequences of this re-access were chilling, considering the sensitive nature of the compromised communications and the critical infrastructure entities they served.
Singer commended CERT-UA, Ukraine’s national Computer Emergency Response Team, for their assistance throughout the incident and afterward. However, he also emphasized the growing threat posed by China, suggesting that the risks associated with Chinese threat groups may surpass those posed by Russian actors, especially in light of their ambitions regarding Taiwan.
The discussion also touched on the continued activity of Russian FSB-linked threat groups, which Singer identified as capable of inflicting significant damage. He advised the audience to stay informed about Russian threats by following CERT-UA updates and stressed the value of MITRE ATT&CK as a common language for cybersecurity professionals.
In conclusion, Singer emphasized the importance of humility within the cybersecurity community, advocating for a culture of collaboration and continuous learning. The near-miss breach serves as a stark reminder of the persistent and evolving threats facing critical infrastructure in the digital age, calling for heightened vigilance and proactive security measures to safeguard against potential cyber incursions.