U.S. intelligence agencies revealed on Monday that Russian SVR cyber hackers used a range of initial exploitation techniques varying in sophistication, coupled with ‘stealthy intrusion tradecraft within compromised networks.’ The Russian Foreign Intelligence Service (SVR) cyber hackers have primarily targeted government networks, think tanks and policy analysis organizations, and information technology companies.
The SVR cyber hackers have been identified as Advanced Persistent Threat 29 (APT 29), consisting of the Dukes, CozyBear and Yttrium, by the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and Cybersecurity and Infrastructure Security Agency (CISA) in a joint cybersecurity advisory. The FBI and DHS recommend service providers mitigate their risks and strengthen user validation and verification systems to prohibit misuse of their services.
The current advisory complements an earlier one issued by the agencies alleging ongoing Russian SVR exploitation of five publicly known vulnerabilities, which was released alongside the government’s formal attribution of the SolarWinds supply chain compromise and related cyber-espionage campaign.
The SVR cyber operations have posed a longstanding threat to the U.S., and the intelligence agencies provided various technical details in its latest advisory. Before 2018, several private cybersecurity companies published reports about APT 29 operations to obtain access to victim networks and steal information, highlighting the use of customized tools to maximize stealth inside victim networks and APT 29 hackers’ ability to move within victim environments undetected.
The FBI observed right from 2018 that the SVR moved from using malware on victim networks to targeting cloud resources, especially email, in order to obtain information. The exploitation of Microsoft Office 365 environments following network access gained through the use of modified SolarWinds software reflects this continuing trend.
Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations.
In a 2018 compromise of a large network, SVR cyber hackers used password spraying to identify a weak password associated with an administrative account. The hackers conducted the password spraying activity in a ‘low and slow’ manner, attempting a small number of passwords at infrequent intervals, possibly to avoid detection. The password spraying used a large number of IP addresses all located in the same country as the victim, including those associated with residential, commercial, mobile, and The Onion Router (TOR) addresses.
The organization unintentionally exempted the compromised administrator’s account from multi-factor authentication requirements, according to the joint cybersecurity advisory. With access to the administrative account, the cyber intruders modified permissions of specific email accounts on the network, allowing any authenticated network user to read those accounts.
In another incident, SVR cyber hackers used a zero-day exploit at the time, against a virtual private network (VPN) appliance to obtain network access. Following exploitation of the device in a way that exposed user credentials, the hackers identified and authenticated to systems on the network using the exposed credentials.
The hackers worked to establish a foothold on several different systems that were not configured to require multi-factor authentication and attempted to access web-based resources in specific areas of the network in line with information of interest to a foreign intelligence service.
Following initial discovery, the victim attempted to evict the hackers. However, the victim had not identified the initial point of access, and the hackers used the same VPN appliance vulnerability to regain access. Eventually, the initial access point was identified, removed from the network, and the intruders were evicted. As in the previous case, the hackers used dedicated virtual private servers (VPSs) located in the same country as the victim, probably to make it appear that the network traffic was not anomalous with normal activity.
Last year, the governments of the U.K., Canada, and the U.S. attributed intrusions perpetrated using malware known as WELLMESS to APT 29, according to the joint cybersecurity advisory. WELLMESS was written in the Go programming language, and the previously-identified activity appeared to focus on targeting COVID-19 vaccine development.
The FBI’s investigation revealed that following the initial compromise of a network, through an unpatched, publicly-known vulnerability, the hackers deployed WELLMESS. Once on the network, the hackers targeted each organization’s vaccine research repository and Active Directory servers, the joint cybersecurity advisory said. The intrusions mainly relied on targeting on-premises network resources, as a departure from historic strategy and likely indicate new ways the cyber intruders are evolving in the virtual environment.
Last year, using modified SolarWinds network monitoring software as an initial intrusion vector, the SVR cyber hackers began to expand their access to numerous networks. The SVR’s modification and use of trusted SolarWinds products as an intrusion vector is also a notable departure from the SVR’s historic tradecraft.
The FBI’s initial findings indicate similar post-infection tradecraft with other SVR-sponsored intrusions, including how the actors purchased and managed infrastructure used in the intrusions, the joint cybersecurity advisory said. After obtaining access to victim networks, SVR cyber actors moved through the networks to obtain access to email accounts.
FBI investigations have revealed that infrastructure used in the intrusions is frequently obtained using false identities and cryptocurrencies. VPS infrastructure is often procured from a network of VPS resellers. These false identities are usually supported by low reputation infrastructure including temporary e-mail accounts and temporary voice over internet protocol (VoIP) telephone numbers. While not exclusively used by SVR cyber intruders, a number of SVR cyber personas use email services hosted on cock[.]li or related domains.
The FBI also notes that the SVR cyber hackers have used open source or commercially available tools continuously, including Mimikatz, an open source credential-dumping tool, and Cobalt Strike, a commercially available exploitation tool, the advisory added.