Hackers at Russia’s Foreign Intelligence Service (SVR) have been spying on US, European and global entities for years to collect intelligence and enable future cyber operations, according to US and UK intelligence agencies.
In a joint advisory published on October 10, four government agencies from the US and the UK warned of an ongoing cyber espionage campaign by APT29, a hacking group associated with SVR, also known as Cozy Bear, Midnight Blizzard, Nobelium and the Dukes.
This spying campaign dates back to at least 2021 and has contributed to Russia’s effort in the ongoing invasion of Ukraine since February 2022.
Targeted organizations include government and diplomatic entities, technology companies, think tanks, international organizations and cleared defense contractors primarily based in North America and Western Europe. Some public and private sector organizations in Asia, Africa, Russia’s neighboring countries and South America have also been targeted.
The primary purpose of this broad-scale ongoing campaign is to collect foreign intelligence and technical data, and establish accesses to enable subsequent supply chain compromises.
APT29’s Cyber Espionage Tactics, Techniques and Procedures
SVR’s typical approach starts with scanning internet-facing systems for unpatched vulnerabilities.
The hackers’ initial access generally involves exploiting publicly disclosed vulnerabilities in professional services, such as JetBrains TeamCity or Zimbra, network appliances like Citrix NetScaler Gateway, or commodity software like Google Chrome or Microsoft Teams.
Read more: Software Updates, A Double-Edged Sword for Cybersecurity Professionals
Other techniques include spearphishing, password spraying, abuse of supply chain and trusted relationships, custom and bespoke malware, cloud exploitation, and living-off-the-land (LotL) techniques to gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information.
APT29 often uses The Onion Router (TOR) network, leased and compromised infrastructure and proxies to obfuscate its activity.
“When the SVR suspects their intrusions have been identified by their victim or law enforcement, they quickly attempt to destroy their infrastructure and any evidence on it. To remain undetected, the SVR frequently uses tools and programs already on victim networks to avoid anti-virus software,” the advisory added.
Mitigation Recommendations
UK and US agencies shared a list of implementation recommendations to mitigate the SVR cyber espionage threat. These include:
- Prioritizing rapid deployment of patches and software updates as soon as they become available
- Enabling automatic updates where possible.
- Disabling Internet-accessible services that you do not need, or restrict access to trusted networks, and removing unused applications and utilities from workstations and development environments
- Checking for open ports and obsolete or unused protocols, especially on Internet-facing systems
- Isolating Internet-facing services in a network demilitarized zone (DMZ) to reduce exposure of internal networks
- Enforcing multifactor authentication (MFA) whenever possible
- Requiring additional identity challenges for enrolment of new devices when users are permitted to self-enroll MFA mechanisms or register devices on the corporate network
- Regularly auditing cloud-based accounts and applications with administrative access to email for unusual activity
- Limiting token access lifetimes and monitoring for evidence of token reuse
The signatories of the joint advisory include the FBI, the NSA, the Cyber National Mission Force (CNMF) in the US and the UK’s National Cyber Security Centre (NCSC).