The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) jointly released a Cybersecurity Advisory, “Russian SVR Targets U.S. and Allied Networks,” today to expose ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. This advisory is being released alongside the U.S. Government’s formal attribution of the SolarWinds supply chain compromise and related cyber espionage campaign. We are publishing this product to highlight additional tactics, techniques, and procedures being used by SVR so that network defenders can take action to mitigate against them.
Mitigation against these vulnerabilities is critically important as U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors. In addition to compromising the SolarWinds Orion software supply chain, recent SVR activities include targeting COVID-19 research facilities via WellMess malware and targeting networks through the VMware vulnerability disclosed by NSA. This was highlighted in NSA’s Cybersecurity Advisory, “Russian State-Sponsored Actors Exploiting Vulnerability in Workspace ONE Access Using Compromised Credentials.”
Cybersecurity AdvisoryFederal Bureau of InvestigationCybersecurity & Infrastructure Security AgencyNationalSecurityAgencyRussian SVR Targets U.S. and Allied NetworksExecutive summaryRussian Foreign Intelligence Service (SVR) actors (also known as APT29, CozyBear, and The Dukes) frequently use publiclyknown vulnerabilitiesto conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access. This targeting and exploitation encompasses U.S. and allied networks, including national security and government–related systems.Recent Russian SVR activities include compromisingSolarWinds®Orion®software updates,targeting COVID–19 research facilities through deployingWellMess malware,and leveraginga VMware®vulnerabilitythatwas a zero–day at the time forfollow–on Security Assertion Markup Language (SAML)authentication abuse.SVR cyber actors also used authentication abusetactics followingSolarWinds–based breaches.