The U.S. Cybersecurity and Infrastructure Protection Company (CISA), Division of Homeland Protection (DHS), and the Federal Bureau of Investigation (FBI) on Monday released a new joint advisory as component of their most recent makes an attempt to expose the methods, tactics, and processes (TTPs) adopted by the Russian Foreign Intelligence Support (SVR) in its assaults concentrating on the U.S and foreign entities.
By using “stealthy intrusion tradecraft in compromised networks,” the intelligence companies stated, “the SVR activity—which involves the latest SolarWinds Orion supply chain compromise—primarily targets authorities networks, feel tank and plan evaluation corporations, and info technology providers and seeks to assemble intelligence data.”
The cyber actor is also becoming tracked beneath various monikers, which includes Highly developed Persistent Menace 29 (APT29), the Dukes, CozyBear, and Yttrium. The development arrives as the U.S. sanctioned Russia and formally pinned the SolarWinds hack and related cyberespionage campaign to governing administration operatives working for SVR.
APT29, considering the fact that emerging on the menace landscape in 2013, has been tied to a variety of assaults orchestrated with the intention of gaining access to victim networks, transfer inside of sufferer environments undetected, and extract delicate info. But in a obvious change in techniques in 2018, the actor moved from deploying malware on target networks to hanging cloud-based mostly electronic mail companies, a fact borne by the SolarWinds assault, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.
This similarity in publish-infection tradecraft with other SVR-sponsored attacks, such as in the method the adversary laterally moved via the networks to acquire access to e mail accounts, is reported to have played a big role in attributing the SolarWinds campaign to the Russian intelligence service, even with a noteworthy departure in the system made use of to acquire an preliminary foothold.
“Targeting cloud assets likely lowers the likelihood of detection by making use of compromised accounts or technique misconfigurations to mix in with ordinary or unmonitored website traffic in an atmosphere not effectively defended, monitored, or understood by target corporations,” the agency observed.
Among the some of the other practices set to use by APT29 are password spraying (noticed for the duration of a 2018 compromise of a substantial unnamed network), exploiting zero-working day flaws towards virtual personal network appliances (this kind of as CVE-2019-19781) to attain network entry, and deploying a Golang malware identified as WELLMESS to plunder mental assets from numerous companies associated in COVID-19 vaccine development.
In addition to CVE-2019-19781, the threat actor is identified to acquire preliminary footholds into victim units and networks by leveraging CVE-2018-13379, CVE-2019-9670, CVE-2019-11510, and CVE-2020-4006.
“The FBI and DHS recommend services companies fortify their user validation and verification systems to prohibit misuse of their companies,” the advisory suggested, though also urging corporations to secure their networks from a compromise of trustworthy program.