Table of Contents
The U.S. The Department of Homeland Security (DHS), the FBI, and the Cyber Security and Infrastructure Security Agency have released a joint advisory on Monday.
It is seeking to expose Russian Foreign Intelligence Service (SVR) tactics, techniques, and procedures. SVR is accused of carrying out attacks targeting the U.S and foreign entities.
In their intelligence agencies report, “the SVR activity is targeted toward government networks, think tank and policy analysis organizations, and information technology companies primarily as a means of acquiring intelligence information via stealthy intrusion tradecraft within compromised networks.”
In addition to AP 29, Dukes, Cozy Bear, and Yttrium, the cyber actor is also tracked as part of State Department sanctions against Russia.
The U.S. also formally identified the Cyberespionage campaign to be connected to SVR.
It was confirmed that the attacks and threats were real and carried out by the Russian Foreign Intelligence Service.
APT29, since gaining traction in 2013, has committed a number of attacks to infiltrate victim networks, moving undetected throughout their environment, and stealing sensitive information.
The actor changed tactics substantially in 2018, moving from targeting targeted networks to performing attacks on cloud-based email services.
This was borne out in the SolarWinds attack, where the actor infected Office 365 organizations using Orion binaries as an intrusion vector.
These post-infection activities appear to be similar to some other SVR-sponsored attacks, including the way the adversary moved through the networks in order to acquire email access.
As a result, solarwinds.com might have been blamed for these operations even if the method used to gain an initial foothold differed noticeably from FBI SolarWinds.com.
“Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,” the agency noted.