The United States and the United Kingdom have issued a joint cyber advisory on Russian Foreign Intelligence Service (SVR) tactics, techniques, and procedures.
The warning, issued by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the National Security Agency (NSA), and the United Kingdom’s National Cyber Security Centre (NCSC), follows a recent warning attributing the Solarwinds Orion software cyberattack to Russian SVR actors.
The warning explains that SVR – also known as APT29, Cozy Bear, and The Dukes – is Russia’s civilian foreign intelligence service. The group uses a variety of tools and techniques to target overseas governmental, diplomatic, think-tank, healthcare and energy targets globally for intelligence gain. “The SVR is a technologically sophisticated and highly capable cyber actor,” the advisory warns.
The advisory also references a warning from NSA, CISA, NCSC, and Canada’s Communications Security Establishment regarding SVR’s targeting of organizations involved in COVID-19 vaccine development throughout 2020 using WellMess and WellMail malware.
“SVR cyber operators appear to have reacted to this report by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,” the advisory explains. “These changes included the deployment of the open-source tool Sliver in an attempt to maintain their accesses.”
The advisory notes that the Russian groups typically rely on publicly available exploits to conduct widespread scanning and exploitation against vulnerable systems.
In terms of mitigating the risk of an attack, the advisory urges organizations to:
- Protect devices and networks by keeping them up to date: use the latest supported versions, apply security patches promptly, use anti-virus and scan regularly to guard against known malware threats.
- Use multi-factor authentication to reduce the impact of password compromises.
- Treat people as the organization’s first line of defense. Tell staff how to report suspected phishing emails, and ensure they feel confident to do so. Investigate their reports promptly and thoroughly. Never punish users for clicking phishing links or opening attachments.
- Set up a security monitoring capability to collect the data that will be needed to analyze network intrusions.
- Prevent and detect lateral movement in the organization’s networks.