A joint cybersecurity advisory by U.S. federal agencies warned about active cyber espionage campaigns by state-sponsored Russian hackers.
The agencies warned that cyber actors backed by the Russian Foreign Intelligence Service (SRV) would continue to seek intelligence from U.S. entities through cyber exploitation.
The National Security Agency (NSA), the Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI), jointly issued Alert AA21-116A.
The agencies assessed the malicious activities of Russian state-backed hackers identified as Advanced Persistent Threat actor 29 (APT 29), CozyBear, CozyDuke, Yttrium, the Dukes, among other identities.
Joint cybersecurity advisory warns of Russian hackers targeting U.S. and allied networks
U.S. government agencies released the “Russian SVR Targets U.S. and Allied Networks” cybersecurity advisory on April 15, 2021.
The FBI and DHS also provided information on various tools, techniques, procedures (TTPs), and capabilities of Russian hackers involved in the ongoing cyber espionage campaign against the United States and its allies.
The report noted SVR cyber activity associated with threat actor APT 29 could be traced back to before 2018. Several entities had issued detailed information about the threat actors’ tools and techniques to compromise and move laterally across networks.
The U.S., the U.K., and Canada had observed malicious activities associated with Russian hackers using WELLMESS Malware.
Tactics employed by Russian hackers
Since 2018, SRV-backed Russian hackers have shifted to targeting cloud resources such as Microsoft Office 365 email accounts instead of deploying malware. The recent large-scale exploitation of Microsoft Exchange servers is a testament to the evolving tactics employed by hackers backed by the Russian government.
The cybersecurity advisory also noted that Russian hackers resorted to password spraying to compromise administrative accounts protected with weak passwords.
In a 2018 attack, Russian hackers infrequently password-sprayed accounts in a “low and slow” manner, to avoid detection. They used many IP addresses associated with residential, commercial, mobile, and The Onion Router (TOR) addresses and located in the targeted country.
“During the period of their access,” the cybersecurity advisory, “the actors consistently logged into the administrative account to modify account permissions, including removing their access to accounts presumed to no longer be of interest, or adding permissions to additional accounts.”
Russian hackers also leveraged Zero-Day Vulnerabilities to exploit systems especially virtual private networks (VPN) appliances, according to the joint alert.
This method allowed the hackers to harvest user credentials and compromise the victims’ networks using legitimate accounts.
Some victims could not identify the initial attack vector following a zero-day, thus allowing the hackers to regain access after eviction from the network.
Fortinet FortiGate and Pulse Connect Secure VPNs, VMware Workspace ONE Access, Citrix Application Delivery Controller, and Gateway are among remote access applications plagued by zero-days.
In an incident highlighted by the cybersecurity advisory, Russian hackers exploited CVE-2019-19781 to compromise a VPN device and access user credentials.
“Following exploitation of the device in a way that exposed user credentials, the actors identified and authenticated to systems on the network using the exposed credentials.’
The hackers established persistence on devices that were not protected using multi-factor authentication and “attempted to access web-based resources in specific areas of the network in line with information of interest to a foreign intelligence service.”
Russian hackers also frequently participated in general tradecraft activities such as procuring false identities, transacting using cryptocurrencies, and purchasing managed intrusion infrastructure.
They also conducted supply chain attacks similar to the SolarWinds attacks that had compromised nine federal agencies and more than 100 private entities.
“The SVR’s modification and use of trusted SolarWinds products as an intrusion vector is also a notable departure from the SVR’s historic tradecraft,” the cybersecurity advisory states.
The use of temporary email addresses such as cock[.]li domains, and disposable VoIP telephone numbers were rampant, according to the NSA, CISA, FBI joint cybersecurity advisory. Similarly, Russian hackers regularly used commercial and open-source tools such as Mimikatz and credential-dumping tools such as Cobalt Strike during intelligence gathering missions. They also monitored IT staff to obtain network information and determine if the victims had detected their cyber intrusions.
Cybersecurity advisory address seeks to expose cyber threat actors
The newly appointed cybersecurity director Rob Joyce believes that exposing various threat actors would force them to reorganize their operations.
“We’re taking away the tools and capabilities of these adversaries,” Joyce said while testifying on Capitol Hill. “By exposing the implants and malware, they then lose that capability and they have to redevelop.”
The U.S. government has consequently imposed sanctions on six technology companies and ten Russian officials in connection to the persistent cyber-espionage campaign.
While intelligence gathering is a priority for Russian hackers, they’re also handy in influencing elections to the advantage of the Kremlin. For example, APT 29 was attributed to the hacking of the Democratic National Committee (DNC) during the 2016 presidential election.
“The threat actor APT29 also known as The Dukes, Cozy Duke, Cozy Bear, EuroAPT, Hammer Toss, YTTRIUM, Iron Hemlock, Office Monkeys and Grizzly Steppe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making,” says Anurag Gurtu, CPO at StrikeReady.
Gurtu noted that APT29 used various malware such as Meek, Cobalt Strike, iDiscoverer, Mimikatz, and ATI-Agent to target countries such as the United States, New Zealand, Romania, Portugal, India, Korea, Republic of Kazakhstan, Mexico, China, Japan, Brazil, Ukraine, Belgium, and Turkey.
“The most recent campaign observed by the StrikeReady intelligence team found APT29 victimizing Government and Ministries of Foreign Affairs of various European countries, and United States. The campaign was collectively named Operation Ghost, where [the] MiniDuke backdoor was installed as a second-stage backdoor, which was dropped by one of the two first-stage components. StrikeReady team suggested applying multiple YARA and SNORT signatures to safeguard the organization,” Gurtu added.
“During the month of April 2021, the StrikeReady intelligence team has captured over ten attacks that originated from Russia and targeted more than eight counties. Of these counties, the United States and Japan were the most targeted by four and two distinct threat actors, respectively.”