Security News > 2021 > April > FBI/DHS Issue Guidance for Network Defenders to Mitigate Russian Gov Hacking
The FBI and DHS have issued a Joint Cybersecurity Advisory on the threat posed by the Russian Foreign Intelligence Service via the cyber actor known as APT 29.
The new advisory, provides "Information on the SVR's cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks." Noticeably, the advisory uses the term SVR and APT 29 indistinguishably throughout, indicating that it sees no difference between the cyber actor and the Russian intelligence agency.
In 2018, SVR compromised a major network by using low and slow password spraying until they found an administrative account that did not require MFA authentication.
"Following exploitation of the device in a way that exposed user credentials," notes the advisory, "The actors identified and authenticated to systems on the network using the exposed credentials in line with information of interest to a foreign intelligence service."
"These intrusions, which mostly relied on targeting on-premises network resources," warns the advisory, "Were a departure from historic tradecraft, and likely indicate new ways the actors are evolving in the virtual environment."
The FBI and DHS do not explicitly specify within the advisory that SVR was responsible for the SolarWinds compromise of Orion, but do say that use of that compromise against other targets "Indicate similar post-infection tradecraft with other SVR-sponsored intrusions." In particular, this involves obtaining access to email accounts - especially those associated with IT staff - "To collect useful information about the victim networks, determine if victims had detected the intrusions, and evade eviction actions."