The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) on Monday published a new joint advisory as part of their latest attempts to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) in its attacks targeting the U.S and foreign entities.
By employing "stealthy intrusion tradecraft within compromised networks," the intelligence agencies said, "the SVR activity—which includes the recent SolarWinds Orion supply chain compromise—primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information."
The cyber actor is also being tracked under different monikers, including Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The development comes as the U.S. sanctioned Russia and formally pinned the SolarWinds hack and related cyberespionage campaign to government operatives working for SVR.
APT29, since emerging on the threat landscape in 2013, has been tied to a number of attacks orchestrated with an aim to gain access to victim networks, move within victim environments undetected, and extract sensitive information. But in a noticeable shift in tactics in 2018, the actor moved from deploying malware on target networks to striking cloud-based email services, a fact borne by the SolarWinds attack, wherein the actor leveraged Orion binaries as an intrusion vector to exploit Microsoft Office 365 environments.
This similarity in post-infection tradecraft with other SVR-sponsored attacks, including in the manner the adversary laterally moved through the networks to obtain access to email accounts, is said to have played a huge role in attributing the SolarWinds campaign to the Russian intelligence service, despite a notable departure in the method used to gain an initial foothold.
"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations," the agency noted.
Among some of the other tactics put to use by APT29 are password spraying (observed during a 2018 compromise of a large unnamed network), exploiting zero-day flaws against virtual private network appliances (such as CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.
Besides CVE-2019-19781, the threat actor is known to gain initial footholds into victim devices and networks by leveraging CVE-2018-13379, CVE-2019-9670, CVE-2019-11510, and CVE-2020-4006. Also in the mix is the practice of obtaining virtual private servers via false identities and cryptocurrencies, and relying on temporary VoIP telephone numbers and email accounts by making use of an anonymous email service called cock.li.
"The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services," the advisory read, while also urging businesses to secure their networks from a compromise of trusted software.