The Communications Security Establishment (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) joined its Five Eyes cyber security partners in issuing a joint cyber security advisory (CSA) on Russian cyber threat activity directed against targets of interest worldwide, most notably in the UK and US, via sophisticated and successful spear-phishing attacks.
CSE and its partners assess that Star Blizzard, formerly known as “SEABORGIUM,” is responsible for this string of spear-phishing attacks. We further assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.
Many sectors have been targeted, including but not limited to academia, defence, governmental organizations, NGOs, think-tanks and politicians. We strongly suggest organizations review the advisory and be vigilant of the techniques described in this advisory, and apply the mitigation measures.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with the emphasis on the following topics:
- Provide security awareness training for employees: Email phishing is the most common method that threat actors use to spread ransomware. Regardless of what security features are installed on someone’s device, if a malicious link is opened, that device could be compromised. Therefore, it is important that employees know how to recognize phishing attempts, and that there is a procedure in place for employees to report them to the organization’s IT desk.
- Patch operating systems (OS) and third-party apps: Unpatched and unsupported operating systems are easy vulnerabilities for cyber threat actors to exploit. Be sure to keep your OS and all third-party apps patched with the newest updates.
- Disable macros: A number of ransomware strains are sent as Microsoft Office attachments. When a user opens the attachment, they are asked to enable macros to see the contents of the document. Once they enable macros, the actual ransomware payload will download and execute. Keep macros disabled by default, and make sure employees are aware that a prompt to enable macros can be a red flag.
- Use least privilege: Users should only have the minimum amount of access required to fulfill their job duties. Restrict administrative privileges as much as possible, and ensure administrative users are required to confirm any actions that need elevated rights.
- Back ups: Be sure to perform frequent back-ups and store them offline. If ransomware is planted on just one device, it can spread across your entire network quickly and covertly. Make sure your back-ups are not connected to the Internet or any local network.
- Practice recovering: Organizations should run a simulated ransomware event and practice recovery procedures. How long would it take you to get yourself back online? For many organizations, it takes a lot longer in practice than anticipated. These exercises can show you what to focus on to improve your recovery procedures.
CSE’s Cyber Centre has been posting advice and guidance online to help inform and educate Canadians on the cyber threats that may be directed against Canada:
- 7 signs of phishing
- What is phishing?
- Signs of a phishing campaign: How to keep yourself safe
- Phishing: an introduction
- Protect your organization from malware
Canadians can stay informed by visiting getcybersafe.gc.ca or cyber.gc.ca for more on how to stay cyber secure.
Additional references: