Security Bulletin: Continued Threats to U.S. Banking and Energy Communities

By gTIC ·

In April, FishNet Security’s Global Threat Intelligence Center (gTIC) assessed that the Obama administration’s enhanced sanctions against Russia could open the possibility of retaliatory attacks on U.S. banking, energy and media outlets. It appears that this has come to fruition, with new reports of Russian hackers being investigated by the Federal Bureau of Investigation for attacks against JPMorgan Chase & Co.

Russia commonly uses proxies and deception when carrying out attacks against targets in the cyber realm to obfuscate State-sponsored actions. During the 2008 Russo-Georgian War, Russian “patriots” used Denial of Service (DoS) attacks against Georgian media, communications, transportation and government infrastructure. At the onset of Russian involvement in the Ukraine, communications in the Crimea were attacked physically by reported Russian forces at Ukrtelecom, the predominant communications provider in the area. In addition, there were reports earlier this summer of attacks targeting the energy sector, which have been attributed to Russia. It has been assessed that Russia holds a loose grip, but a grip none-the-less, on criminal hackers within the Russian Federation, known mostly as the Russian Business Network (RBN).

In light of the continued escalation in Ukraine - stemming from the civil war, Russia’s annexation of Crimea, enhanced U.S. sanctions, the downed aircraft in June - and the U.S. diplomacy’s continued involvement with the U.N., we assess with high confidence that attacks against U.S.-based infrastructure will continue. Attack vectors include spear phishing and watering hole attacks designed to gain access to targeted systems using malware such as remote access Trojans (RATs).

FishNet Security recommends that all organizations follow established best practices in maintaining vulnerability patching, antivirus signature updates and monitoring of log traffic for anomaly detection.

FishNet Security’s gTIC will continue to monitor this threat as it progresses and take proactive measures within our Managed Security Services to identify and detect events associated with known indicators and tactics attributed to this actor.