The Cybersecurity and Infrastructure Security Agency (CISA), alongside the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), has released a joint advisory aimed at elucidating the tactics, techniques, and procedures (TTPs) employed by the Russian Foreign Intelligence Service (SVR) in its cyber operations against U.S. and international organizations. This notice is part of ongoing efforts to enhance awareness regarding Russian cyber activities, particularly in light of the recent SolarWinds cyber intrusions.
The advisory highlights the SVR’s use of sophisticated intrusion methods that operate discreetly within compromised systems. Specifically, these operations aim to infiltrate networks belonging to government bodies, think tanks, and IT firms in pursuit of sensitive intelligence. The report notes that SVR’s tactics extend to recent activities, including the SolarWinds incident, which has drawn heightened scrutiny from the U.S. government, resulting in sanctions against Moscow in response to these cyberattacks.
Known by various aliases such as Advanced Persistent Threat 29 (APT29), CozyBear, and the Dukes, the SVR’s cyber campaign reflects a strategic pivot observed since 2018. Historically focused on deploying malware within targeted networks, APT29 has increasingly exploited vulnerabilities in cloud-based email services, as exemplified by its successful use of SolarWinds binaries as a means to penetrate Microsoft Office 365 environments. This transitional approach serves to complicate traditional detection methods, potentially allowing threat actors to integrate their activities within normal traffic patterns.
CISA’s analysis indicates that this evolving strategy includes an inclination toward targeting cloud resources, thus reducing detection risks by utilizing compromised accounts or system misconfigurations. This modus operandi may enhance the adversary’s ability to navigate unmonitored environments, increasing the likelihood of success in gaining and maintaining access to sensitive data.
In addition to exploiting cloud structures, APT29 has employed other tactics such as password spraying and exploiting zero-day vulnerabilities in virtual private network (VPN) appliances, notably CVE-2019-19781. Its operations have demonstrated considerable dexterity in extracting intellectual property, particularly during instances tied to the ongoing COVID-19 vaccine development efforts.
The advisory also underscores the threat actor’s method of establishing initial access via various vulnerabilities, including CVE-2018-13379 and CVE-2020-4006, alongside the strategy of using virtual private servers obtained through false identities. Such tactics align with the MITRE ATT&CK framework, particularly under categories like initial access, persistence, and privilege escalation, enhancing their operational efficacy.
As part of its recommendations, the FBI and DHS urge service providers to fortify their user verification processes to curtail the misuse of services that could facilitate such attacks. Businesses are also advised to bolster their cybersecurity measures to safeguard against the compromise of trusted software applications and to remain vigilant against the ever-evolving techniques apparent in the SVR’s cyber activities.
