Russian hackers are still launching offensive cyber attacks against the US and its allies in efforts to steal information or lay the foundations for future operations, a joint alert by security and intelligence agencies has warned.
The advisory from the FBI, Department of Homeland Security and CISA warns that the Russian Foreign Intelligence Service (SVR) – also known by cybersecurity researchers as APT 29, the Dukes and CozyBear – continues to target organisations in efforts to gather intelligence.
US agencies – along with the UK’s National Cyber Security Centre (NCSC) – recently blamed the SVR for the SolarWinds supply chain attack, which saw hackers gain access to tens of thousands of organisations around the world – including several government agencies after compromising the company’s software updates process.
And now organisations are being warned that Russian cyber attacks show no signs of slowing down, especially when it comes to targeting the networks of organisations involved with government, think tanks and information technology.
Cloud services including email and Microsoft Office 365 are being particularly targeted in attacks.
“Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,” warned the agency alert.
The alert details common techniques used in SVR operations, including password spraying, leveraging zero-day vulnerabilities and deploying malware.
Password spraying is when the attackers target weak passwords associated with admin accounts. These accounts are secured with common or weak passwords, including default usernames and passwords, providing cyber attackers with a relatively simple means of gaining access to poorly secured networks.
In many cases, the attackers will break into as many accounts as they can, only thinking about how they can be exploited later.
To defend against password spraying attacks, the FBI and DHS recommend the mandatory use of multi-factor authentication across the network and to where possible, enforce the use of strong passwords – particularly for administrator accounts. It’s also recommended that access to remote administrative functions from IP addresses not owned by the organisations is prohibited.
Another common attack technique used by Kremlin-backed hackers is levering vulnerabilities in virtual private network (VPN) appliances which expose login credentials.
The alert uses the example of attackers exploiting CVE-2019-19781 – a vulnerability in Citrix Application Delivery Controller and Gateway – but it’s one of several which have been exploited in cyber attacks in recent years, allowing attackers to secretly enter networks.
In each of these cases, the affected vendor has released a critical security patch – and in some cases these have been available for years – but organisations which don’t apply the updates are still vulnerable to attacks.
The FBI, DoH and CISA also warn about attacks using WellMess – a form of custom malware associated with APT 29, which has been used in attacks targeting Covid-19 vaccine research facilities. While stolen RDP credentials have been used to help install the malware, it’s also been known for attackers to attempt to distribute it via spear-phishing emails.
The alert on Russian hacking techniques has been released in order to encourage organisations to examine their networks and gain a better understanding of how to secure against attacks.
“The FBI and DHS are providing information on the SVR’s cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks,” said the alert.
MORE ON CYBERSECURITY