The FBI has warned the U.S. energy sector about “network scanning activity” stemming from multiple Russia-based IP addresses. The activity is believed to be associated with cyber actors “who previously conducted destructive cyber activity against foreign critical infrastructure.”
The FBI bulletin, issued March 18 and obtained by CBS News, was released just days before President Biden announced Monday that “evolving intelligence” suggests Russia is exploring options for potential cyberattacks targeting the U.S. homeland.
Federal law enforcement revealed that activity of Russian IP addresses “likely indicates early stages of reconnaissance, scanning networks for vulnerabilities for use in potential future intrusions.”
The FBI has identified 140 overlapping IP addresses linked to “abnormal scanning” activity of at least five U.S. energy companies, as well as at least 18 other U.S. companies spanning the defense industrial base, financial services, and information technology.
However, the focus appears to be on entities within the energy sector, according to the FBI assessment.
“US Energy Sector entities are advised to examine current network traffic for these IP addresses and conduct follow-on investigations if observed,” the alert reads.
According to the FBI, IP addresses identified by law enforcement began scanning U.S. critical infrastructure as early as March 2021.
“This scanning activity has increased since the start of the Russia/Ukraine conflict, leading to a greater possibility of future intrusions,” the bulletin notes. “While the FBI recognizes that scanning activity is common on a network, these reported IPs have been previously identified as conducting activity in conjunction with active exploitation of a foreign victim, which resulted in destruction of the victim’s systems.”
The bureau says that while these IPs cannot be directly correlated to successful exploitation, the FBI is providing indicators of compromise “out of an abundance of caution.”
FBI Director Christopher Wray said Tuesday that concern about malicious cyber activity is the product of “specific investigative work and surveillance work that we’ve been doing all together.” He added, “Most cyberattacks don’t just happen in an instant. There’s activity that leads up to it. There’s scanning and researching, researching of victims. Scanning for vulnerabilities in systems. There’s developing access to those systems. There’s a whole range of preparatory work, which is what we’ve been seeing.”
According to the FBI, the number of ransomware incidents reported to the U.S. government increased by 82% from 2019 to 2021. Since the bureau opened its investigation into Russia-based REvil hackers in August 2018, cybercriminals have attacked more than 40,000 U.S.-based victims and received over $150 million in ransoms through virtual currency systems.
But some U.S. cybersecurity firms have alleged discrepancies in the FBI memo, noting that many of the IP addresses listed do not exhibit targeted behavior, while others are not geo-located in Russia.
“Some have scanned internet hosts which have no connection to critical infrastructure,” Sergio Caltagirone, a former NSA cyber-defense expert and director of threat intelligence at cybersecurity firm Dragos, told CBS News. “Therefore, the targeted premise which supposedly underpins this list is questionable.”
Caltagirone added that cybersecurity firms have “precious few network defense resources” to draw upon to protect industrial infrastructure. “Tasking them with tracking 140 scanning IP addresses with no additional context will take them away from doing more valuable network defense activities,” he said.
Anne Neuberger, Mr. Biden’s deputy national security adviser for cyber and emerging technology, told reporters Monday that U.S. officials have observed “preparatory work” linked to nation-state actors. Such activity could indicate increased levels of scanning websites and hunting for vulnerabilities among U.S. companies.
Since February 15, the Ukrainian government said it has suffered over 3,000 DDoS or “distributed denial of service attacks,” that have barraged government websites with traffic, rendering them unusable. But cyber attacks launched by Russia since the start of the Ukrainian invasion have created relatively minimal damage compared with the shelling of cities and civilian casualties brought about by kinetic warfare.
Last week, engineers linked Ukraine to an electricity grid connected to much of continental Europe, allowing the country to remove its power system from its Russian adversary, officials announced. A pair of Russian-linked cyber attacks in 2015 and 2016 knocked power out in parts of Ukraine.
U.S. lawmakers and cybersecurity experts have long warned of the Kremlin using its Ukrainian neighbor as a “testing ground” for powerful cyber weapons.
The urgent memo to private sector owners and operators comes just days before the president is set to travel to Brussels Thursday for a NATO summit before heading to Poland.
“The magnitude of Russia’s cyber capacity is fairly consequential,” Mr. Biden said Monday, addressing the Business Roundtable, an association of some of the nation’s largest corporations. “And it’s coming.”
The FBI does not comment on specific intelligence products as standard practice, a spokesperson noted. “The FBI routinely shares information with law enforcement and industry partners in order to protect the communities they serve and work with. The FBI always encourages members of the public and private industry to be vigilant and report anything they consider suspicious to law enforcement,” the spokesperson added.
The Department of Energy told CBS News in a statement that it “remains fully engaged with our industry and government partners.”
“We continue to hold regular threat briefings, share intelligence and actionable information with our energy sector partners, and encourage them to strengthen their cybersecurity posture and remain vigilant,” the Department of Energy Spokesperson said.
Andy Triay and Cara Korte contributed to this report.