US and UK Issue Joint Alert on Russian Cyber ActivityRussian Intelligence Agency SVR's Tactics Described
U.S. and U.K. cyber, law enforcement and intelligence agencies issued a joint advisory Friday offering detailed information on how to defend against the activities of the Russian Foreign Intelligence Service, or SVR, in the wake of the 2020 SolarWinds supply chain attack.
The U.K.'s National Cyber Security Center, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency say the SVR, through its threat group APT29, will continue to attack, so organizations need to understand the threat it poses.
"APT29 will continue to seek intelligence from U.S. and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks. The SVR primarily targets government networks, think tank and policy analysis organizations, and information technology companies," CISA says in its alert.
CISA attributed the SolarWinds supply chain attack that resulted in follow-on attacks on about nine government departments and 100 companies to APT29, also known as The Dukes, Cozy Bear and Yttrium. The agency notes that the SVR's cyber operations have posed a longstanding threat to the U.S. and other nations.
The U.S. officially attributed SolarWinds to Russian activity in April, and the Biden administration formally sanctioned Russia over the cyberespionage operation (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
During the past few years, CISA and other agencies have noticed a change in the SVR's tactics. Prior to 2018, APT29 designed its operations to gain access to victims' networks and steal information, using customized tools to maximize stealth inside while moving laterally through a victim's network.
Since 2018, the FBI observed the SVR shift to using malware to target cloud resources, particularly email, to obtain information.
"The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software reflects this continuing trend," CISA says. "Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations."
The agencies issuing the advisory note the SVR is a highly capable adversary but has fallen into a few noticeable patterns. Intrusions often start with the SVR's operators obtaining false identities and cryptocurrencies, although how the SVR uses the money was not described.
The SVR often creates a low-reputation infrastructure through a virtual private server, or VPS, reseller, which is a VPN owner that sells access to a virtual machine hosted by their server. There, temporary email and VoIP phone service is created, often on the .cock[.]li domain, the alert says.
"SVR cyber operators have used open-source or commercially available tools continuously, including Mimikatz - an open-source credential-dumping tool - and Cobalt Strike - a commercially available exploitation tool," the FBI notes.
Mimikatz is a tool for viewing and saving authentication credentials on a system.
The international agencies have observed the SVR using a variety of means to gain access to a target network, including password spraying, leveraging zero-day vulnerabilities and using WellMess malware.
The alert notes that one SVR attack in 2018 used password spraying to gain access to an unnamed large network. The IT team had mistakenly exempted the administrator's account from requiring multifactor authentication, so the attackers compromised the account by password spraying. The attackers then used the access gained to modify the permissions of specific email accounts on the network, resulting in any authenticated network user being able to read those accounts, the agencies say.
While the SVR attackers had access to this system, they consistently logged into the admin account to modify account permissions, removing and obtaining access as needed, the alert says.
"The FBI observed minimal overlap between the VPSs used for different compromised accounts, and each leased server used to conduct follow-on actions was in the same country as the victim organization," the alert says.
The agency described ways to mitigate the risks posed by this type of attack, including:
- Make mandatory the use of an approved multifactor authentication solution for all users from both on-premises and remote locations;
- Prohibit remote access to administrative functions and resources from IP addresses and systems not owned by the organization;
- Regularly review the organization's password management program.
The alert describes a zero-day-based attack that leveraged the vulnerability CVE-2019-19781 in a Citrix appliance to gain access. Because the victim did not use multifactor authentication, the attackers gained access to several on-premises systems and attempted to access certain web-based resources that held data of interest, the alert says.
The victim learned of the intrusion and expelled the attackers, but they could regain access using the same VPN appliance. The victim eventually fixed this flaw, enabling the permanent removal of the attacker, the alert says.
Suggested risk mitigations for this type of attack include:
- Monitor the network for evidence of encoded PowerShell commands and execution of network scanning tools;
- Ensure host-based antivirus/endpoint monitoring solutions are enabled and set to alert;
- Immediately configure newly added systems to the network.
SVR uses the WellMess malware family that allows a remote operator to establish encrypted command and control sessions and to pass and execute scripts on an infected system securely, CISA says.
WellMess enabled SVR to gain access in attacks on COVID-19 research facilities in the U.K., Canada and the U.S. in 2020. The attackers gained a foothold through an unpatched, publicly known vulnerability and deployed the malware, the agencies say.
"Once on the network, the actors targeted each organization's vaccine research repository and Active Directory servers. These intrusions, which mostly relied on targeting on-premises network resources, were a departure from historic tradecraft and likely indicate new ways the actors are evolving in the virtual environment," the alert says.
Suggested mitigations for this type of attack include:
- Audit log files to identify attempts to access privileged certificates and create fake identify providers;
- Deploy software to identify suspicious behavior on systems;
- Deploy endpoint protection systems with the ability to monitor for behavioral indicators of compromise.