The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have joined with the U.K.’s National Cyber Security Centre (NCSC) to release a joint cybersecurity advisory on the SolarWinds supply chain attack, once again blaming Russian Foreign Intelligence Service (SVR) hackers. The advisory also identified further TTPs (tactics, techniques, and procedures) associated with these cyber hackers.
The cybersecurity advisory, “Further TTPs associated with SVR cyber actors,” provides details on new TTPs that SVR cyber hackers appear to have leveraged, in addition to ones that the US agencies unearthed in the middle of April.
Following careful analysis by the agencies of the SVR activity, including exploitation activity following their initial compromise of SolarWinds Orion software supply chain, the advisory points out that the SVR rapidly moved to exploit newly disclosed vulnerabilities. “Network defenders should ensure that systems are patched promptly following CVE announcements for products they manage,” the cybersecurity advisory said.
The advisory also provided details on SVR-leveraged malware, including WELLMESS, WELLMAIL, GoldFinder, GoldMax, and possibly Sibot, as well as open-source Red Team command and control frameworks, Sliver and Cobalt Strike.
SVR is Russia’s civilian foreign intelligence service that uses a variety of tools and techniques to predominantly target overseas governmental, diplomatic, think-tank, healthcare and energy targets globally for intelligence gain. The SVR is a technologically sophisticated and highly capable cyber hacker, and developed capabilities to target organizations globally, including in the UK, US, Europe, NATO member states, and Russia’s neighbors.
The Russian SVR hackers, also known as APT29, Cozy Bear, and The Dukes, used publicly known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access, according to a U.S. government released an executive summary. The targeting and exploitation surround U.S. and allied networks, including national security and government-related systems.
The NCSC advisory noted that the SolarWinds campaign showcased the hacker’s willingness to target organizations that supply privileged software, such as network management or security applications, to many users or organizations. These types of attacks give SVR cyber attackers initial access to a large number of organizations.
SVR actors regularly make use of publicly known vulnerabilities, alongside complex supply chain attacks, to gain initial access onto target networks, the NCSC cybersecurity advisory said. Managing and applying security updates as quickly as possible will help reduce the attack surface available for SVR actors, and force them to use higher equity tooling to gain a foothold in the networks. Users must also adopt basic cybersecurity principles that will make it harder for even sophisticated actors to compromise target networks, it added.
Post the compromise, NCSC and partner industry analysis identified that on multiple occasions, SVR hackers used Cobalt Strike, a commercial Red Team command and control framework, to carry out their operations after initial exploitation, according to the NCSC advisory, released last week. The group also deployed GoldFinder, GoldMax and Sibot malware after compromising a victim via SolarWinds. GoldMax is a custom backdoor, GoldFinder is a custom tool – both are written in Golang. Sibot is a simple custom downloader and, unlike other malware in recent use by the group, is written in VBS, it added.
In separate incidents, the NCSC observed that once SVR cyber attackers gained initial access to a victim’s network, they made use of the open-source Red Team command and control framework named Sliver, the NCSC cybersecurity advisory said. As observed with the SolarWinds incidents, SVR operators often used separate command and control infrastructure for each victim of Sliver. SVR hackers have used methods other than malware to maintain persistence on high-value targets, including the use of stolen credentials, it added.
In recent weeks, the NSA released guidelines and an evaluation methodology that will help improve operational technologies (OT) and control systems cybersecurity. The advisory developed for the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) OT owners and operators provide details on how to evaluate risks to systems and improve the security of connections between OT and enterprise networks.
This week, the U.S was faced with another cybersecurity attack in another sector of its critical infrastructure. The Colonial Pipeline was hit by a cybersecurity incident that resulted in the disruption of the company’s operations, prompting the U.S. Department of Transportation (USDOT) to announce on Sunday that its Federal Motor Carrier Safety Administration (FMCSA) is issuing temporary hours of service exemption. The exemption is applicable to those transporting gasoline, diesel, jet fuel, and other refined petroleum products to the affected customer base along the Southern and Eastern US coast.