Security News > 2021 > April > FBI, CISA Uncover Tactics Employed by Russian Intelligence Hackers
The U.S. Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, and the Federal Bureau of Investigation on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures adopted by the Russian Foreign Intelligence Service in its attacks targeting the U.S and foreign entities.
By employing "Stealthy intrusion tradecraft within compromised networks," the intelligence agencies said, "The SVR activity-which includes the recent SolarWinds Orion supply chain compromise-primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information."
In a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.
This similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.
Among some of the other tactics put to use by APT29 are password spraying, exploiting zero-day flaws against virtual private network appliances to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.
"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services," the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.
News URL
Related news
- Russian ISP confirms Ukrainian hackers "destroyed" its network (source)
- How Russian hackers went after NGOs’ WhatsApp accounts (source)
- CISA: Hackers still exploiting older Ivanti bugs to breach networks (source)
- EU sanctions Russian GRU hackers for cyberattacks against Estonia (source)
- Russian military hackers deploy malicious Windows activators in Ukraine (source)
- Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts (source)
- CISA and FBI: Ghost ransomware breached orgs in 70 countries (source)