A joint advisory by the US Department for Homeland Security's Cybersecurity Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA), as well as the UK National Cyber Security Centre
Moscow: Russian intelligence has been accused by the US and UK of carrying out cyberattacks using new techniques after it was exposed that its hackers continue to target governments, organisations and energy providers around the world.
A joint advisory by the US Department for Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA), as well as the UK National Cyber Security Centre warned organisations about updated Tactics, Techniques and Procedures (TTPs) used by Russia’s foreign intelligence service, the SVR — a group also known by cybersecurity researchers as APT29, Cozy Bear and The Dukes.
It comes after cybersecurity agencies in the US and the UK attributed the SolarWinds attack to Russia’s civilian foreign intelligence service, as well as several campaigns targeting Covid-19 vaccine developers, reports ZDNet.
“The SVR is a technologically sophisticated and highly capable cyber actor. It has developed capabilities to target organisations globally, including in the UK, US, Europe, NATO member states and Russia’s neighbours,” said the alert.
The advisory warns that Russian cyber attackers have updated their techniques and procedures to infiltrate networks and avoid detection, especially when some organisations have attempted to adjust their defences after previous alerts about cyber threats.
This includes the attackers using the open-source tool Sliver as a means of maintaining access to compromised networks and making use of numerous vulnerabilities, including vulnerabilities in Microsoft Exchange.
Sliver is an open-source red team tool, a tool used by penetration testers when legally and legitimately testing network security, but in this case is being abused to consolidate access to networks compromised with WellMess and WellMail, custom malware associated with SVR attacks, the report said.
The attackers are also targeting mail servers as part of their attacks as they’re useful staging posts to acquire administrator rights and the ability to further network information and access, be it for gaining a better understanding of the network, or a direct effort to steal information.
But despite the often advanced nature of the attacks, the paper by US and UK cybersecurity authorities said that “following basic cybersecurity principles will make it harder for even sophisticated actors to compromise target networks”.
This includes applying security patches promptly so no cyber attackers — cybercriminal or nation-state backed operative — can exploit known vulnerabilities as a means of entering or maintaining persistence on the network, the report said.