The FBI has warned the U.S. energy sector about "network scanning activity" stemming from multiple Russia-based IP addresses. The activity is believed to be associated with cyber actors "who previously conducted destructive cyber activity against foreign critical infrastructure."
The FBI bulletin, issued March 18 and obtained by CBS News, was released just days before President Biden announced Monday that "evolving intelligence" suggests Russia is exploring options for potential cyberattacks targeting the U.S. homeland.
Federal law enforcement revealed that activity of Russian IP addresses "likely indicates early stages of reconnaissance, scanning networks for vulnerabilities for use in potential future intrusions."
The FBI has identified 140 overlapping IP addresses linked to "abnormal scanning" activity of at least five U.S. energy companies, as well as at least 18 other U.S. companies spanning the defense industrial base, financial services, and information technology.
However, the focus appears to be on entities within the energy sector, according to the FBI assessment.
"US Energy Sector entities are advised to examine current network traffic for these IP addresses and conduct follow-on investigations if observed," the alert reads.
According to the FBI, IP addresses identified by law enforcement began scanning U.S. critical infrastructure as early as March 2021.
"This scanning activity has increased since the start of the Russia/Ukraine conflict, leading to a greater possibility of future intrusions," the bulletin notes. "While the FBI recognizes that scanning activity is common on a network, these reported IPs have been previously identified as conducting activity in conjunction with active exploitation of a foreign victim, which resulted in destruction of the victim's systems."
The bureau says that while these IPs cannot be directly correlated to successful exploitation, the FBI is providing indicators of compromise "out of an abundance of caution."
FBI Director Christopher Wray said Tuesday that concern about malicious cyber activity is the product of "specific investigative work and surveillance work that we've been doing all together." He added, "Most cyberattacks don't just happen in an instant. There's activity that leads up to it. There's scanning and researching, researching of victims. Scanning for vulnerabilities in systems. There's developing access to those systems. There's a whole range of preparatory work, which is what we've been seeing."
According to the FBI, the number of ransomware incidents reported to the U.S. government increased by 82% from 2019 to 2021. Since the bureau opened its investigation into Russia-based REvil hackers in August 2018, cybercriminals have attacked more than 40,000 U.S.-based victims and received over $150 million in ransoms through virtual currency systems.
Anne Neuberger, Mr. Biden's deputy national security adviser for cyber and emerging technology, told reporters Monday that U.S. officials have observed "preparatory work" linked to nation-state actors. Such activity could indicate increased levels of scanning websites and hunting for vulnerabilities among U.S. companies.
Since February 15, the Ukrainian government said it has suffered over 3,000 DDoS or "distributed denial of service attacks," that have barraged government websites with traffic, rendering them unusable. But cyber attacks launched by Russia since the start of the Ukrainian invasion have created relatively minimal damage compared with the shelling of cities and civilian casualties brought about by kinetic warfare.
Last week, engineers linked Ukraine to an electricity grid connected to much of continental Europe, allowing the country to remove its power system from its Russian adversary, officials announced. A pair of Russian-linked cyber attacks in 2015 and 2016 knocked power out in parts of Ukraine.
U.S. lawmakers and cybersecurity experts have long warned of the Kremlin using its Ukrainian neighbor as a "testing ground" for powerful cyber weapons.
The urgent memo to private sector owners and operators comes just days before the president is set to travel to Brussels Thursday for a NATO summit before heading to Poland.
"The magnitude of Russia's cyber capacity is fairly consequential," Mr. Biden said Monday, addressing the Business Roundtable, an association of some of the nation's largest corporations. "And it's coming."
CBS News has reached out to the FBI and Energy Department for comment.
Andy Triay and Cara Korte contributed to this report.