Guidelines for Network Defenders to Discover and Prevent Russian Cyber Operations

A joint cybersecurity notice was given by the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) concerning the Russian Foreign Intelligence Service or SVR’s continuing cyber campaigns.

The alert gives additional data regarding the tactics, techniques, and procedures (TTPs) employed by SVR threat actors to obtain access to networks and the tricky invasion tradecraft utilized to move laterally inside affected systems. Best practices were provided to permit network defenders to boost their defenses, safeguard their networks, and carry out investigations to ascertain whether their networks were already breached.

The notification follows on from an April 15, 2021 joint advisory from the CISA NSA, and FBI sticking with the official statement by the U.S. Government, which the SolarWinds supply chain attack was performed by SVR cyber actors referred to as CozyBear, Apt29, the Dukes and Yttrium. The CVR operatives are mostly focusing on government agencies, policy analysis companies, and think tanks, IT firms, and critical infrastructure providers to obtain intelligence details.

Before 2018, SVR agents were mostly employing tricky malware on victims’ sites although have currently modified their focus to target online resources, which include web-based email services like Microsoft Office 365, like the SolarWinds supply chain attack.

Wrong configurations of systems are taken advantage of, and compromised accounts are employed to merge with typical traffic in web environments. Cyber attackers can easily keep clear of detection when targeting online resources since lots of companies are unable to successfully protect, keep track of, or even totally know these environments.

The SVR operatives have recently utilized password spraying to figure weak passwords linked to admin accounts. These attacks are performed in a gradual and minimal fashion to prevent discovery, for instance trying small numbers of passwords at occasional times utilizing IP addresses in the nation where the target is situated. When admin access is obtained, alterations are done to the permissions of email accounts on the system to enable the interception of emails. When an account is breached, it is usually accessed employing just one IP address on a rented virtual private server. In case an account is viewed which ends up to be not good, permissions are altered back to the initial settings to limit the probability of detection.

Zero-day vulnerabilities in virtual private networks (VPN) were likewise exploited to get network access, such as the Citrix NetScaler vulnerability CVE-2019-19781. When exploited, user credentials are collected and employed to authenticate systems on the network without having multi-factor authentication activated. Attackers attempted as well to gain access to web-based resources that contain facts of interest to the overseas intelligence service.

A Go-based malware variant called WELLMESS has been utilized to acquire persistent access to systems and, in 2020, was mainly employed in targeted attacks on businesses engaged in the creation of COVID-19 vaccine, with the attackers aiming at Active Directory servers and research databases.

The SVR attackers utilize customized malware and open source and commercially accessible resources for their attacks. A lot of advice and best practices are offered to support network defenders strengthen the methods utilized by SVR agents and determine potential attacks that are beginning to happen.