Three US security bodies – the FBI, the US Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) – warned that attacks coordinated by the Russian Foreign Intelligence Service (SVR) and APT29 against the US and foreign organizations are still ongoing. The agencies also provided intel on the attacker’s TTPs and advised on safety measures to take to protect against the attacks.
“The SVR activity—which includes the recent SolarWinds Orion supply chain compromise—primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information,” CISA said.
CISA warned that APT29 will continue to attempt to steal intelligence from US and foreign entities and will use a range of initial exploitation techniques coupled with espionage within compromised networks.
The joint advisory provides additional intel on APT29’s tactics, tools, techniques (TTPs), and capabilities.
The information is intended for government entities, policy analysis organizations, think tanks, information technology companies, but also any other potential SVR targets.
Among TTPs associated with the SVR’s actor, the agencies highlighted:
- Password Spraying to identify weak passwords associated for administrative accounts
- Leveraging Zero-Day Vulnerability to obtain network access
- WELLMESS Malware
- Tradecraft Similarities of SolarWinds-enabled Intrusions in supply chain attacks.
For each TTP, the FBI and DHS shared recommendations and safety measures network operators can take to defend from the mentioned attack techniques. While CISA encouraged users and administrators to review the CSA AA21-116A advisory and implement the recommended mitigations.
Today’s security advisory follows closely another one published on April 15th, which also concerned the vulnerabilities exploited by the Russian-backed APT29 hacking group, also known as the Dukes, CozyBear, and Yttrium, and offered remediation measures against 5 described vulnerabilities.