Security News > 2021 > April > Here's what Russia's SVR spy agency does when it breaks into your network, says US CISA infosec agency
Following attribution of the SolarWinds supply chain attack to Russia's APT29, the US CISA infosec agency has published a list of the spies' known tactics - including a penchant for using a naughtily named email provider.
APT29* is the Western infosec world's codename for what we now know is the Russian Foreign Intelligence Service, known by its Russian acronym SVR. As well as publishing a list of things US counterintelligence know about their Russian offensive counterparts, CISA has also added some advice on how to avoid these common Russian intelligence compromise tactics.
Detecting the SVR consisted of fairly routine stuff, according to CISA: auditing log files "To identify attempts to access privileged certificates", monitoring networks for encoded PowerShell commands, behavioural profiling of accounts to detect unusual activity indicating a compromise, and using threat intel to keep an eye on "Credential abuse within cloud environments."
One giveaway that you might have a Russian spy poking about, warned CISA, is the use of a cock[.
Though we're fairly sure it wasn't a Russian spy who called us abusive names from a cock[.
Li email address in 2016, CISA reckons: "While not exclusively used by SVR cyber actors, a number of SVR cyber personas use e-mail services hosted on cock[.]li or related domains."
News URL
https://go.theregister.com/feed/www.theregister.com/2021/04/27/apt29_russia_svr_tactics_cisa/