Hi All,
The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cyber National Mission Force (CNMF), and the United Kingdom's National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to highlight the tactics, techniques, and procedures (TTPs) employed by the Russian Federation's Foreign Intelligence Service (SVR) in recent cyber operations and provide network defenders with information to help counter SVR cyber threats.
Since at least 2021, Russian SVR cyber actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes – have consistently targeted US, European, and global entities in the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia's ongoing invasion of Ukraine since February 2022. Their operations continue to pose a global threat to government and private sector organizations.
The authoring agencies are releasing this CSA to warn network defenders that SVR cyber actors are highly capable of and interested in exploiting software vulnerabilities for initial access [T1190] and escalation of privileges [T1068]. Organizations should prioritize rapid patch deployment and keep software up to date. The SVR continues using TTPs such as spearphishing [T1566], password spraying [T1078], abuse of supply chain [T1195] and trusted relationships [T1199], custom and
The authoring agencies recommend the following mitigations to protect their networks. See the Mitigations section for the complete list.
Reduce attack surface by disabling Internet-accessible services that you do not need, or restrict access to trusted networks, and removing unused applications and utilities from workstations and development environments.
Require and enforce multi-factor authentication whenever possible.
Regularly audit cloud-based accounts and applications with administrative access to email for unusual activity.
bespoke malware, cloud exploitation, and living-off-the-land techniques to gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. SVR actors often use The Onion Router (TOR) network, leased and compromised infrastructure, and proxies to obfuscate activity.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 15.1. See the ATT&CK Tactics and Techniques section for a table of the threat actors' activity mapped to ATT&CK tactics and techniques. For example see 'https://attack.mitre.org/techniques/T1195/002/' For assistance with mapping malicious cyber activity to the ATT&CK framework, see Best Practices for MITRE ATT&CK Mapping and Decider Tool.
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------