US Pulls Back Curtain on Russian Cyber OperationsForeign Intelligence Service's Techniques, Partners Revealed
While the Biden administration is betting that the latest round of sanctions against Russia will help deter the country's cyber operations, several U.S. agencies, including the National Security Agency, used the sanctions announcement as an opportunity to pull back the curtain on the tactics of Russia's Foreign Intelligence Service.
Russia's Ministry of Foreign Affairs on Thursday denied that the country was involved in the SolarWinds supply chain attack as well as election disinformation campaigns, as the U.S. alleged in announcing the sanctions. And on Friday, Russia responded to the sanctions by expelling 10 U.S. diplomats and blacklisting eight officials, according to The Washington Post.
Russia's Cyber Tactics
The NSA, along with the FBI and the Cybersecurity and Infrastructure Security Agency, issued a joint advisory Thursday that described the five top vulnerabilities the Russian intelligence agency is currently exploiting.
The sanctions announcement from the Treasury Department pinpointed five Russian-based technology and security companies and one research firm that allegedly work with the Russian Foreign Intelligence Service, aka SVR, as well as other Russian agencies, including the Main Intelligence Directorate, also known as the GRU, on cyber campaigns.
Russian Foreign Intelligence Service (SVR) cyber actors are exploiting five publicly known vulnerabilities to target U.S. and allied critical networks. Review our joint #cybersecurity guidance with @CISAgov and @FBI and apply the mitigations to stop them: https://t.co/rEC8AD7WdK pic.twitter.com/qaIpDyMx7y— NSA Cyber (@NSACyber) April 15, 2021
The NSA, CISA and the FBI are urging government agencies as well as companies to use this information about Russian cyber campaign efforts to help protect against future intrusions and attacks.
The three agencies recommend in their joint advisory that critical system owners prioritize efforts to "mitigate the loss of sensitive information that could impact U.S. policies, strategies, plans, ongoing operations and competitive advantage."
Shedding Light on Russian Operations
Speaking to reporters Thursday, a senior Biden administration official noted that by calling out the SVR and publishing a list of its tools and the organizations with which it has partnerships, the U.S. government is looking to shed light on Russia's operations while warning allies and businesses about potential cyberthreats.
"Those efforts should serve as a warning about the risks of using information and communications technology and services supplied by companies that operate or store user data in Russia, or rely on software development or remote technical support by personnel in Russia," the senior official said. "The U.S. government strongly encourages all U.S. companies using communications or technologies supplied by companies with ties to Russia to evaluate the security of their infrastructure and be aware of the potential for future U.S. action that may affect their operation."
Betting on Sanctions
By sanctioning Russia, the Biden administration is attempting to curb Russia's cyber operations while responding to these incidents in what the senior administration official called a "proportionate" manner.
Some security experts and analysts, however, say that previous sanctions, as well as law enforcement action by the U.S. Justice Department, have failed to deter Russia's cyber activities (see: Analysis: Can Russia's Cyber Destruction Appetite Be Curbed?).
"One could argue that sanctions against Russia have been rather limited in comparison to our other adversaries," says Darren Hayes, associate professor at the Seidenberg School of Computer Science and Information Systems at Pace University in New York. "The SolarWinds compromise has potentially cost U.S. businesses billions in damages, and consequently, many will view these latest sanctions as long overdue."
Greg Touhill, a retired U.S. Air Force brigadier general who served as the country's first federal CISO, notes that the Biden administration is building a coalition with the U.K., Australia and Canada to help enforce sanctions.
"By building the coalition, the threat to one is a threat to all, so we're clearly moving toward setting cyber norms and expectations in the global cyber ecosystem," Touhill says.
Previous SVR Activities
U.S. intelligence officials say Russia's SVR, which is also known as APT29, Cozy Bear and the Dukes, has conducted other cyberespionage operations against the U.S., including the attack against the Democratic National Committee in 2016.
Dmitri Alperovitch, the former CTO of CrowdStrike, has previously noted that the SVR works to stay out of the spotlight. That's one reason why the U.S. calling out its actions is so crucial (see: SolarWinds Attack Illustrates Evolving Russian Cyber Tactics).
Looks like SVR is very offended by the APT29/Cozy Bear/Dukes reference to them in the USG communications yesterday. Prefer to be referred as the former 1st department of the KGB instead. From their official press release... GRU was not so touchyhttps://t.co/Khwa8y8aZg— Dmitri Alperovitch (@DAlperovitch) April 16, 2021
The five vulnerabilities the NSA, CISA and the FBI highlighted in their joint advisory Thursday are:
- CVE-2018-13379: This vulnerability affects the Fortinet FortiOS operating system 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12, which is used in the company's Secure Sockets Layer (SSL) Virtual VPN web portal. If exploited, it could allow an unauthenticated attacker to download system files via a specially crafted HTTP resource request.
- CVE-2019-9670: This flaw affects the Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. If exploited, it could allow an attacker to use an XML External Entity (XXE) injection.
- CVE-2019-11510: Exploits of this vulnerability in Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 could allow a remote attacker to send a specially crafted Uniform Resource Identifier to perform an arbitrary file read.
- CVE-2019-19781: This vulnerability affects Citrix ADC and Gateway versions before 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b. If exploited, it could allow for directory traversal.
- CVE-2020-4006: This vulnerability in VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1-3.3.3 on Linux, VMware Identity Manager Connector 3.3.1-3.3.3 and 19.03, VMware Cloud Foundation 4.0-4.1, and VMware vRealize Suite Lifecycle Manager 8.x could be exploited for command injection vulnerability.
Other exploits of these flaws have been previously documented. For instance, in recent months, four of the five vulnerabilities have been used to target organizations conducting research on COVID-19 vaccinations.
Russia's SVR, and many other threat groups, take advantage of common unpatched vulnerabilities, which is why organizations need to ramp up their patching efforts, says Tim Wade, a former network and security technical manager with the U.S. Air Force who is now a technical director at the security firm Vectra AI.
"Security leaders should assume that for all the best intentions of their technology peers, compromises will occur," he says. "Their imperative is to detect, respond and recover from those events to expel adversaries before material damage is realized."
On Thursday, CISA and the Cyber National Mission Force released additional details on malware dubbed Sunshuttle and Solarflare that was used by the SolarWinds supply chain attackers and offered risk mitigation advice.
(Senior Correspondent Akshaya Asokan contributed to this story.)