Share this article on:
A joint cybersecurity advisory has been issued by the Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) about ongoing cyber operations by the Russian Foreign Intelligence Service (SVR).
The advisory provides further information on the tactics, techniques, and procedures (TTPs) used by SVR hackers to gain access to networks and the stealthy intrusion tradecraft used to move laterally within compromised networks. Best practices have been shared to allow network defenders to improve their defenses, secure their networks, and conduct investigations to determine whether their systems have already been compromised.
The advisory follows on from an April 15, 2021 joint alert from the NSA, CISA, and FBI following the formal declaration by the U.S. Government that the SolarWinds supply chain attack was conducted by SVR cyber actors known as The Dukes, CozyBear, Yttrium, and APT29. The CVR operatives are primarily targeting government agencies, policy analysis organizations and think tanks, IT companies, and critical infrastructure companies to gather intelligence information.
Prior to 2018, SVR operatives were primarily using stealthy malware on victims’ networks but have now changed their focus to target cloud resources, including cloud-based email services such as Microsoft Office 365, as was the case with the SolarWinds supply chain attack.
System misconfigurations are exploited, and compromised accounts are used to blend in with normal traffic in cloud environments. The hackers are able to avoid detection more easily when attacking cloud resources as many organizations do not effectively defend, monitor, or even fully understand these environments.
The SVR operatives have previously used password spraying to guess weak passwords associated with administrative accounts. These attacks are conducted in a slow and low manner to avoid detection, such as attempting small numbers of passwords at infrequent intervals using IP addresses in the country where the target is located. Once administrator access is gained, changes are made to the permissions of email accounts on the network to allow emails to be intercepted. Once an account is compromised, it is typically accessed using a single IP address on a leased virtual private server. If an account is accessed which turns out to be of no use, permissions are changed back to the original settings to minimize the possibility of detection.
Zero-day vulnerabilities in virtual private networks (VPN) have also been exploited to obtain network access, including the Citrix NetScaler vulnerability CVE-2019-19781. Once exploited, user credentials are harvested and used to authenticate to systems on the network without multifactor authentication enabled. Attempts are also made to access web-based resources containing information of interest to the foreign intelligence service.
A Go-based malware variant dubbed WELLMESS has been used to gain persistent access to networks and, in 2020, was primarily used in targeted attacks on organizations involved in COVID-19 vaccine development, with the attackers targeting research repositories and Active Directory servers.
The SVR cyber actors are capable adversaries that use custom malware and open source and commercially available tools in their attacks. Several recommendations and best practices have been offered to help network defenders improve resilience to each of the methods known to be used by SVR operatives and identify potential attacks in progress.