Federal Agencies Detail Russian Tactics Used in Recent Cyber Intrusions


The FBI, Homeland Security Department and Cybersecurity and Infrastructure Security Agency issued an alert on Russian government cyber tradecraft and mitigation techniques for targets.

After publicly naming the Russian Foreign Intelligence Service, or SVR, as the culprit behind the SolarWinds hack that affected at least nine federal agencies, a set of U.S. security agencies released an alert outing the hackers’ techniques and describing best practices for defending against them.

In an alert issued Monday, the FBI, Homeland Security Department and Cybersecurity and Infrastructure Security Agency, or CISA, released technical details on Russian hacking groups that “continue to seek intelligence from U.S. and foreign entities through cyber exploitation, using a range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks.”

While the group targets a variety of institutions with valuable national security information, government agencies are at the top of that list.

The cadre of hackers associated with the Russian government represents an advanced persistent threat, or APT, which has gone by many names: APT 29, the Dukes, CozyBear and Yttrium, among others. The new alert notes “SVR cyber operators are capable adversaries.”

APT 29 was first identified as a distinct group as early as 2008, though U.S. agencies warn that the hackers’ tactics seem to have shifted a few years ago.

“Beginning in 2018, the FBI observed the SVR shift from using malware on victim networks to targeting cloud resources, particularly e-mail, to obtain information,” the release states. “Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations.”

This avenue was used to breach the SolarWinds production environment, allowing APT 29 hackers to embed malicious code that would then be pushed out to users as a secure update. From there, hackers were able to move laterally through the system, obtaining additional credentials and embedding themselves deeper in the network.

Several tactics used in this campaign are similar to other “post-infection tradecraft” used by SVR hackers, “including how the actors purchased and managed infrastructure used in the intrusions.”

That infrastructure—including virtual private servers and temporary email addresses and phone numbers—is often purchased through vendors located in the target country to increase the perceived legitimacy.

The alert issued Monday outlines several of APT 29’s other go-to techniques, including:

Password spraying, in which attackers try to find weak passwords by making lots of attempts. While the technique might seem simple—spray and pray—APT 29 hackers brought it to a new level.

“The actors conducted the password spraying activity in a ‘low and slow’ manner, attempting a small number of passwords at infrequent intervals, possibly to avoid detection,” the release states. “The password spraying used a large number of IP addresses all located in the same country as the victim, including those associated with residential, commercial, mobile, and The Onion Router (TOR) addresses.”

Zero-day exploits were used in some cases, including to gain access to a virtual private network, or VPN, through a vulnerability that was unknown at the time. APT 29 hackers exploited the security gap to gain full access to the network, targeting additional systems that did not have multifactor authentication set up to prevent such lateral movement.

In one instance, the victim attempted to boot the hackers from the network but “had not identified the initial point of access,” allowing the hackers to use “the same VPN appliance vulnerability to regain access,” the alert states.

The group also used known vulnerabilities that organizations neglected to patch to upload malware dubbed WELLMESS. This tactic was first seen in 2020 to siphon information about COVID-19 vaccine development.

“These intrusions, which mostly relied on targeting on-premises network resources, were a departure from historic tradecraft, and likely indicate new ways the actors are evolving in the virtual environment,” the notice states.

Monday’s alert includes additional details on all of the above techniques, as well as a short-list of recommended defenses for organizations—including federal agencies.

The agencies also “recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services.”