Recommendations for Network Defenders to Determine and Avert Russian Cyber Operations

A joint cybersecurity alert was released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security (DHS) regarding the Russian Foreign Intelligence Service or SVR’s persistent cyber operations.

The notification offers more information about the tactics, techniques, and procedures (TTPs) utilized by SVR attackers to get access to networks and the sneaky attack tradecraft employed to move laterally in breached systems. Best practices were presented to permit network defenders to enhance their defenses, secure their networks, and perform investigations to find out whether their systems were already compromised.

The alert comes after the April 15, 2021 joint notice from the NSA, CISA, and FBI that states the U.S. Government’s formal declaration that the SolarWinds supply chain attack was done by SVR cyber actors known as CozyBear, the Dukes, APT29 and Yttrium. The CVR operatives are mainly targeting government agencies, policy analysis agencies and think tanks, IT businesses, and critical infrastructure organizations to collect intelligence data.

Prior to 2018, SVR agents were mostly utilizing stealthy malware on victims’ systems however have already evolved their focus to target web resources, such as cloud-based email services like Microsoft Office 365, as was the SolarWinds supply chain attack.

Misconfigurations of systems are exploited and breached accounts are utilized to mimic regular traffic in online environments. The hackers can steer clear of detection when attacking cloud resources as a lot of companies don’t efficiently secure, monitor, or even completely understand these environments.

The SVR operatives have formerly employed password spraying to find out weak passwords related to administrative accounts. These attacks are carried out in a slow and low way to avert detection, for instance attempting small numbers of passwords at periodic periods employing IP addresses in the country where the target is based. As soon as administrator access is acquired, modifications are created to the permissions of email accounts on the network to enable the interception of emails. After an account is compromised, it is normally accessed utilizing one IP address on a leased virtual private server. In case an account is accessed which turns out to be useless, permissions are modified back to the default settings to reduce the chance of detection.

Zero-day vulnerabilities in virtual private networks (VPN), which includes the Citrix NetScaler vulnerability CVE-2019-19781, were also exploited to acquire network access. When exploited, user credentials are gathered and utilized to authenticate systems on the network with no multifactor authentication enabled. Attackers tried also to access web-based resources with information of interest to the foreign intelligence service.

A Go-based malware variant referred to as WELLMESS has been employed to get persistent access to systems and, in 2020, was mainly utilized in targeted attacks on businesses involved in the development of the COVID-19 vaccine, with the attackers focusing on Active Directory servers and research repositories.

The SVR cyber actors are using custom malware and open source and commercially sold tools in their attacks. A number of recommendations and best practices are available to assist network defenders to boost the methods used by SVR agents and identify potential attacks that are happening.