The FBI and DHS have issued a Joint Cybersecurity Advisory on the threat posed by the Russian Foreign Intelligence Service (SVR) via the cyber actor known as APT 29 (aka the Dukes, Cozy Bear, Yttrium and CozyDuke).
This advisory primarily looks at the threats posed by APT 29, the evolution of its methods, and best practices to defend against the actor. It should be read in conjunction with, and as a supplement to, a separate advisory published earlier this month by the NSA, CISA and the FBI. The earlier advisory examined current vulnerabilities used by APT 29, and mitigations that can be employed against that use.
The new advisory, provides “information on the SVR’s cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks.” Noticeably, the advisory uses the term SVR and APT 29 indistinguishably throughout, indicating that it sees no difference between the cyber actor and the Russian intelligence agency.
The advisory highlights the primary attack methods used by APT 29, discusses tradecraft similarities to SolarWinds-enabled intrusions, and provides general APT 29 tradecraft observations.
In 2018, SVR compromised a major network by using low and slow password spraying until they found an administrative account that did not require MFA authentication. Through this, the SVR modified target email account permissions to allow any authenticated network user to read the accounts.
“During the period of their access,” says the advisory, “the actors consistently logged into the administrative account to modify account permissions, including removing their access to accounts presumed to no longer be of interest, or adding permissions to additional accounts.”
In another incident, SVR exploited CVE-2019-19781 – at that time a zero-day vulnerability – to compromise a VPN device and obtain network access. “Following exploitation of the device in a way that exposed user credentials,” notes the advisory, “the actors identified and authenticated to systems on the network using the exposed credentials… in line with information of interest to a foreign intelligence service.”
In 2020, the governments of the U.S., UK, and Canada all attributed intrusions perpetrated using malware known as WELLMESS and targeting Covid-19 vaccine developers, to APT 29. The FBI’s investigation was that SVR was using unpatched publicly known vulnerabilities to access the target networks. Once this was achieved, the attacker focused on the victim’s vaccine research repository and Active Directory servers.
“These intrusions, which mostly relied on targeting on-premises network resources,” warns the advisory, “were a departure from historic tradecraft, and likely indicate new ways the actors are evolving in the virtual environment.”
The FBI and DHS do not explicitly specify within the advisory that SVR was responsible for the SolarWinds compromise of Orion, but do say that use of that compromise against other targets “indicate similar post-infection tradecraft with other SVR-sponsored intrusions.” In particular, this involves obtaining access to email accounts – especially those associated with IT staff – “to collect useful information about the victim networks, determine if victims had detected the intrusions, and evade eviction actions.”
These examples indicate that a primary intention for the SVR is intelligence gathering, as befits a foreign intelligence agency. While the actor may not directly seek to damage the networks it compromises, the information it gathers may be used offensively – as seen, for example, in the use of data stolen from the Democratic National Committee (DNC) by APT 29 in 2016 prior to the presidential election that year. Other offensive uses for stolen data would depend on the nature of the data stolen.