Russian Intelligence Hackers Trade Tricks uncovered by FBI, CISA on Monday. The investigating agencies have been able to expose the tactics, techniques, and procedures (TTPs) adopted by the Russian Foreign Intelligence Service (SVR) to carry out attacks targeting the U.S and foreign entities.
According to the investigating agency in an article said, “the SVR activity—which includes the recent SolarWinds Orion supply chain compromise—primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.”
The Russian Intelligence Hackers are also being tracked under different names such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium. The action has been taken after the US sanctions on Russia and expelling those involved in the SolarWinds hack and other related cyber-espionage campaigns to government operatives working for SVR.
FBI said, “Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations.”
Other tactics used by APT29 include password spraying, exploiting zero-day flaws against virtual private network appliances to obtain network access, and deploying a Golang malware called WELLMESS to loot intellectual property from a number of organizations, including the COVID-19 vaccine development.
The hacking group was also involved in gaining an initial foothold into the victim’s devices and networks by leveraging CVE-2018-13379, CVE-2019-9670, CVE-2019-11510, and CVE-2020-4006.
The advisory has urged businesses to secure their networks by using trusted software.