FBI, CISA Warn of Ongoing Russian CyberthreatsAgencies Say Russia's SVR Continues to Target Vulnerable Networks
The FBI and the Cybersecurity and Infrastructure Security Agency are warning of continued cyberthreats stemming from Russia's Foreign Intelligence Service, or SVR, which the Biden administration accused of carrying out the SolarWinds supply chain attack.
In a joint alert issued Monday, the agencies warn that despite economic and other sanctions against Russia announced by the White House on April 15, attackers associated with the SVR likely will continue to target government networks, think tanks and policy analysis organizations - as well as private technology firms - using a variety of techniques and tools.
Russia has denied that its intelligence service targeted SolarWinds.
Russia's SVR "will continue to seek intelligence from U.S. and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks," according to the alert.
The U.S. previously blamed a threat group working for the SVR and referred to as APT29 or The Dukes or Cozy Bear for a spear-phishing campaign targeting the Democratic National Committee in 2015 that played play a significant role the 2016 U.S. election (see: Final Report: More 2016 Russian Election Hacking Details).
In announcing the Russian sanctions earlier this month, the FBI, CISA and the National Security Agency described several tools and techniques the SVR used, including the exploitation of several well-known vulnerabilities found in VPNs and other products that allow for remote access to networks (see: US Pulls Back Curtain on Russian Cyber Operations).
Focus on Cloud
The updated alert issued Monday notes that attackers associated with the SVR continue to update their techniques to avoid detection. The changes include shifting from planting malware in networks to hacking cloud-based applications, especially email, to steal data and other information.
"The exploitation of Microsoft Office 365 environments following network access gained through use of modified SolarWinds software" reflects how Russian attackers continually refine their tactics, according to the joint alert. "Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored or understood by victim organizations."
In other cases, the FBI and CISA have found the SVR using some of the same techniques leveraged in the SolarWinds supply chain attack to target others. For instance, the attackers attempted to obtain access to the cloud-based email accounts of victim organizations' IT staff to "collect useful information about the victim networks, determine if victims had detected the intrusions and evade eviction actions."
Monday's joint alert points to several earlier incidents in which Russian attackers infiltrated and established persistence within networks.
For example, in 2018, the SVR targeted an unnamed organization's network using password spraying techniques to guess the credentials of administrative accounts as a way to gain a foothold within the infrastructure, the alert notes.
"The actors conducted the password spraying activity in a 'low and slow' manner, attempting a small number of passwords at infrequent intervals, possibly to avoid detection," according to the joint report. "The password spraying used a large number of IP addresses all located in the same country as the victim, including those associated with residential, commercial, mobile and The Onion Router (TOR) addresses."
In the 2018 incident, the attackers compromised one administrator's account that did not require multifactor authentication. From there, the SVR modified email account settings, allowing it to read messages and make further changes, the FBI and CISA note.
Besides password spraying, the attackers took advantage of misconfigurations within the targeted organization's systems and applications and began logging into nonadministrative accounts. These techniques, combined with access to one administrator's account, allowed the SVR to begin accessing a wide variety of email accounts. The attackers also made sure to cover up the attack by using proxy servers, the report finds.
"While the password sprays were conducted from many different IP addresses, once the actors obtained access to an account, that compromised account was generally only accessed from a single IP address corresponding to a leased virtual private server," according to the alert. "The FBI observed minimal overlap between the VPSs used for different compromised accounts, and each leased server used to conduct follow-on actions was in the same country as the victim organization."
In another attack, the SVR took advantage of what was then a zero-day vulnerability in Citrix's Application Delivery Controller and Gateway products to attack another unnamed organization, according to the alert. Once again, because multifactor authentication was not required, the attackers gained network access through the flaw and then established persistence.
When the organization discovered the attack, it evicted the attackers, but because the initial point of entry was not known as the time, the attackers returned using the same technique, according to the FBI and CISA.
"Eventually, the initial access point was identified, removed from the network, and the actors were evicted," according to the alert. "As in the previous case, the actors used dedicated VPSs located in the same country as the victim, probably to make it appear that the network traffic was not anomalous with normal activity."
Citrix issued a patch for the flaw, now identified as CVE-2019-19781.
Over the years, the SVR and its affiliates have continued to use malware as part of their operations, including one attack that targeted COVID-19 research facilities in the U.S., the U.K. and Canada in 2020 (see: US, UK, Canada: Russian Hackers Targeting COVID-19 Research).
Tom Kellermann, head of cybersecurity strategy for VMware and a member of the Cyber Investigations Advisory Board for the U.S. Secret Service, says threat intelligence sharing by government agencies is long overdue.
"For decades, there has been an over-classification of actionable threat intelligence, and now we see a culture shift," Kellermann says.
Joseph Neumann, a cyber executive adviser at consulting firm Coalfire, notes that while some of the techniques are already known, the fact that the government is publishing them can help security teams look for compromises within their networks.
"These are helpful, to a degree, (because they allow) administrators and defenders to know where to start their initial looks, but fall short of giving them data that they can plug into security tools to begin immediate automated remediations and mitigations," Neumann says.
A report VMware published in February noted that the SVR is primarily focused on intelligence gathering and has targeted U.S. organizations as well as foreign affairs ministries in other nations.
Other security experts, including Dmitri Alperovitch, the former CTO of CrowdStrike, have previously noted that the SVR typically does not engage in the types of destructive cyber operations conducted by other parts of Russia's intelligence service, such as the Russian Main Intelligence Directorate, also known as the GRU (see: SolarWinds Attack Illustrates Evolving Russian Cyber Tactics).