Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutives
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
    Contact Us
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
  1. Home
  2. Topics
  3. Cyber Threats and Advisories
  4. Advanced Persistent Threats
Share:
Generic coding language design with red background

Russia Cyber Threat Overview and Advisories

Advanced Persistent Threats

  • China Cyber Threat Overview and Advisories
  • Russia Cyber Threat Overview and Advisories
  • North Korea Cyber Threat Overview and Advisories
  • Iran Cyber Threat Overview and Advisories
The country of Russia

The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment states that “…Russia will remain a top cyber threat as it refines and employs its espionage, influence, and attack capabilities” and that, “…Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.”

Recent Russian state-sponsored activity has included destructive malware and ransomware operations. Prioritizing patching of known exploited vulnerabilities is key to strengthening operational resilience against this threat.

Organizations should also take the following three steps to strengthen operational resilience against Russian state-sponsored cyber activity:

  1. Implement and enforce the use of multifactor authentication (MFA),
  2. Secure and monitor instances of remote desktop protocol (RDP) and other potentially risky services, and
  3. Provide end-user cybersecurity awareness and training.

CISA and our partners in the U.S. government and around the world provide timely and actionable information about the Russian state-sponsored cyber threat to help organizations prioritize the most effective cybersecurity measures. As a starting point, organizations should:

  • Prioritize mitigation of known exploited vulnerabilities.
  • Implement the Cyber Performance Goals, which are a baseline set of broadly applicable cybersecurity practices with known risk-reduction value.  
  • Urgently report potential malicious activity to CISA or the FBI:
    • The easiest way is to go to CISA.gov and click the “report a cyber issue” button right up top.  
    • You can also contact CISA’s 24/7 Operations Center: cisa.gov/report | report@cisa.gov | 888-282-0870
    • Contact your local FBI field office or IC3.gov.
  • Sign up to receive CISA’s cybersecurity alerts and advisories for timely notification of emerging campaigns and incidents. Review advisories on Russian state-sponsored cyber threats outlined in the table below. CISA particularly recommends reviewing the following advisories:
    • Hunting Russian Intelligence “Snake” Malware
    • APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers and the UK National Cyber Security Centre’s Jaguar Tooth Malware Analysis Report for guidance on protecting against malware that targets unpatched Cisco IOS routers. 
    • Protecting Against Malicious Use of Remote Monitoring and Management Software, which outlines steps to help organizations harden networks against malicious use of remote monitoring and management software.
    • Technical Approaches to Uncovering and Remediating Malicious Activity, which outlines steps to help organizations identify intrusions across their enterprise.
  • Sign up for CISA’s free Vulnerability Scanning service to receive alerts when the service identifies vulnerabilities known to be exploited by Russian state-sponsored cyber actors. 
  • Establish a relationship with a regional CISA Cybersecurity Advisor to access additional services, assessments, and guidance. 

 

Table 1: CISA and Joint CISA Publications

Publication Date

Title

Description
August 31, 2023Joint Malware Analysis Report: Infamous Chisel 

The UK National Cyber Security Centre (NCSC), the U.S. National Security Agency (NSA), U.S. Cybersecurity and Infrastructure Security Agency (CISA), U.S. Federal Bureau of Investigation (FBI), New Zealand’s National Cyber Security Centre (NCSC-NZ), the Canadian Centre for Cyber Security – part of the Canada’s Communications Security Establishment (CSE), and Australian Signals Directorate (ASD) are aware that the actor known as Sandworm has used a new mobile malware in a campaign targeting Android devices used by the Ukrainian military. The malware is referred to here as Infamous Chisel.

Organizations from the United Kingdom, United States, Australia, Canada, and New Zealand have previously linked the Sandworm actor to the Russian GRU's Main Centre for Special Technologies GTsST. For more information, see the Joint Malware Analysis Report: Infamous Chisel 

May 09, 2023

Joint Cybersecurity Advisory: Hunting Russian Intelligence “Snake” Malware

CISA and partners have released a joint advisory for a sophisticated cyber espionage tool used by Russian cyber actors. Hunting Russian Intelligence “Snake” Malware provides technical descriptions of the malware’s host architecture and network communications, and mitigations to help detect and defend against this threat.

CISA urges organizations to review the advisory for more information and apply the recommended mitigations and detection guidance. For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure.

April 18, 2023

Joint Cybersecurity Advisory: APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers

NCSC, NSA, CISA, and FBI have released a joint advisory to provide details of tactics, techniques, and procedures (TTPs) associated with APT28's exploitation of Cisco routers in 2021.  By exploiting the vulnerability CVE-2017-6742, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide, including routers in Europe, U.S. government institutions, and approximately 250 Ukrainian victims.

CISA encourages personnel to review NCSC’s Jaguar Tooth malware analysis report for detailed TTPs and indicators of compromise which may help detect APT28 activity. For more information on APT28 activity, see the advisories Russian State-sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.

April 20, 2022

Joint Cybersecurity Advisory: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.

This advisory provides an overview of Russian state-sponsored advanced persistent threat groups, Russian-aligned cyber threat groups, and Russian-aligned cybercrime groups to help the cybersecurity community protect against possible cyber threats.

March 24, 2022

Joint Cybersecurity Advisory: Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector

This joint Cybersecurity Advisory—coauthored by CISA, the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE)—provides information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 and targeted U.S. and international Energy Sector organizations. CISA, the FBI, and DOE responded to these campaigns with appropriate action in and around the time that they occurred. CISA, the FBI, and DOE are sharing this information in order to highlight historical tactics, techniques, and procedures (TTPs) used by adversaries to target U.S. and international Energy Sector organizations.

On March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) employee for their involvement in intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies.

March 15, 2022

Joint Cybersecurity Advisory: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability

This Advisory warns organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.
February 23, 2022

Joint Cybersecurity Advisory: New Sandworm Malware Cyclops Blink Replaces VPNFilter

In this Advisory, NCSC-UK, CISA, NSA and the FBI report that the malicious cyber actor known as Sandworm or Voodoo Bear is using new malware, referred to as Cyclops Blink. Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network-attached storage devices.
February 16, 2022

Joint Cybersecurity Advisory: Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology

From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. This Advisory provides detection and mitigation recommendations for CDCs to reduce the risk of data exfiltration by Russian state-sponsored actors.
January 11, 2022

Joint Cybersecurity Advisory: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

This Advisory provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. It is intended to help the cybersecurity community reduce the risk presented by these threats.
July 20, 2021

ICS Advisory: ICSA-14-178-01: ICS Focused Malware – Havex

ICS Alert: ICS-ALERT-14-281-01E: Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)

ICS Alert: IR-ALERT-H-16-056-01: Cyber-Attack Against Ukrainian Critical Infrastructure

Technical Alert: TA17-163A: CrashOverride Malware

These previously published ICS advisories and alerts contain information on historical cyber-intrusion campaigns by Russian nation-state cyber actors.
July 16, 2021

Joint Cybersecurity Advisory: APT29 targets COVID-19 vaccine development

This Advisory details recent Tactics, Techniques and Procedures (TTPs) of the group commonly known as ‘APT29’, also known as ‘the Dukes’ or ‘Cozy Bear’. It also provides indicators of compromise as well as detection and mitigation advice.

July 1, 2021

Joint Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments

This Advisory details how the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) has targeted hundreds of U.S. and foreign organizations using brute force access to penetrate government and private sector victim networks. The advisory reveals the tactics, techniques, and procedures (TTPs) GTsSS actors used in their campaign to exploit targeted networks, access credentials, move laterally, and collect and exfiltrate data.
May 14, 2021

CISA Analysis Report: Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise

This Analysis Report provides guidance to federal agencies in crafting eviction plans in response to the SolarWinds Orion supply chain compromise. The guidance is intended for  federal agencies with networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity. Although this guidance is tailored to federal agencies, CISA encourages critical infrastructure entities; state, local, tribal, and territorial government organizations; and private sector organizations to review and apply it, as appropriate. Note: For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
May 7, 2021

Joint NCSC-CISA-FBI-NSA CSA: Further TTPs associated with SVR cyber actors

This Joint Cybersecurity Advisory (CSA) is on Russian SVR activities related to the SolarWinds Orion compromise. The CSA details SVR tactics, techniques, and procedures (TTPs) and on SVR-leveraged malware, including WELLMESS, WELLMAIL, GoldFinder, GoldMax, and possibly Sibot, as well as open-source Red Team command and control frameworks, Sliver and Cobalt Strike. Note: See FactSheet: Russian SVR Activities for summaries of three key Joint CSAs that detail Russian SVR activities related to the SolarWinds compromise. For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
April 26, 2021

Joint FBI-DHS-CISA CSA: SVR Cyber Operations: Trends and Best Practices for Network Defenders

This Joint CSA is on Russian SVR activities related to the SolarWinds Orion compromise. The CSA provides information on SVR TTPs. Specifically, this CSA points out the FBI's observation that, starting in 2018, the SVR shifted from "using malware on victim networks to targeting cloud resources, particularly e-mail, to obtain information." Significantly, SVR's compromise of Microsoft cloud environments following their SolarWinds Orion supply chain compromise is an example of this trend. Note: See FactSheet: Russian SVR Activities for summaries of three key Joint CSAs that detail Russian SVR activities related to the SolarWinds compromise. For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
April 15, 2021

Joint NSA-CISA-FBI CSA: Russian SVR Targets U.S. and Allied Networks

This Joint CSA is on Russian SVR activities related to the SolarWinds Orion compromise. The CSA details the vulnerabilities the SVR is leveraging—as well as the techniques it is using—in its attempts to compromise U.S. and Allied networks. Note: See FactSheet: Russian SVR Activities for summaries of three key Joint CSAs that detail Russian SVR activities related to the SolarWinds compromise. For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
March 18, 2021

CISA Alert: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool

This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with the SolarWinds Orion supply chain compromise. Note: For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.

January 8, 2021

CISA Alert: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments

This Alert is a companion alert to CISA Alert: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations. This Alert addresses the APT actor's tactics and techniques. Note: For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
December 17, 2020

CISA Alert: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

MAR 10318845-1.v1 - SUNBURST

MAR 10320115-1.v1 - TEARDROP

MAR 10327841-1.v1 – SUNSHUTTLE

This Alert focuses on an APT actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations. Note: For more information on the SolarWinds Orion supply chain compromise, refer to the Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise webpage.
October 22, 2020

Joint FBI-CISA CSA: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets

This Joint CSA provides information on Russian state-sponsored APT actor activity targeting various U.S. state, local, tribal, and territorial government networks, as well as aviation networks. This Advisory updates Joint CISA-FBI CSA: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.
October 9, 2020

Joint CISA-FBI CSA: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations

This Joint CSA provides information on APT actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application.
April 16, 2018

Joint DHS-FBI-NCSC Alert: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

This Joint Technical Alert provides information on the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the internet service providers supporting these sectors.
March 15, 2018

Joint DHS-FBI Alert: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors

This Joint Technical Alert provides information on Russian government actions targeting U.S. government entities as well as critical infrastructure organizations. It also contains IOCs and technical details on the TTPs used by Russian government cyber actors on compromised victim networks.
July 1, 2017

CISA Alert: Petya Ransomware

This Technical Alert provides in-depth technical analysis of NotPetya malware, a Petya malware variant that surfaced on June 27, 2017. The U.S. Government has publicly attributed this NotPetya malware variant to the Russian military.
February 10, 2017

CISA Analysis Report: Enhanced Analysis of GRIZZLY STEPPE Activity

This Analysis Report provides signatures and recommendations to detect and mitigate threats from GRIZZLY STEPPE actors.
December 29, 2016

Joint DHS-FBI Analysis Report: GRIZZLY STEPPE - Russian Malicious Cyber Activity

This Joint Analysis Report provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.
Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback