The FBI, DHS, and CISA have now warned about ongoing attacks coordinated by the Russian Foreign Intelligence Service (SVR) or APT29 against U.S. and foreign organizations. Moreover, the SVR had a connection with the recent SolarWinds Orion supply chain attack.
About the warning
- Password Spraying: In one compromise of a large network (in 2018), the threat actors used password spraying to spot a weak password linked with an administrative account.
- Leveraging Zero-Day Vulnerability: In another incident, SVR used a zero-day exploit (CVE-2019-19781) against a VPN appliance to gain access inside the network.
- The WELLMESS Malware: In 2020, intrusion attempts on governments in the U.K, Canada, and the U.S., that were performed using malware known as WELLMESS, were attributed to APT29 (aka SVR).
- Similarities with SolarWinds-enabled Intrusions: Mid-2020, the APT group used modified SolarWinds network monitoring software as an initial intrusion vector. The attack vector is similar to other SVR-sponsored intrusions.
The recent attacks were aimed at government networks, think tanks, policy analysis organizations, and IT companies. The attackers were looking for intelligence information from the targeted entities.
- Recently, the U.S. government formally linked the SolarWinds supply chain attack to APT29.
- In addition, the recent advisory complements a previous one published on April 15, sharing details about vulnerabilities exploited by the threat actor.
The CISA stated that APT29 will continue to collect intelligence from U.S. and foreign entities with cyber exploitation. It is using a range of sophisticated initial exploitation techniques, along with stealthy intrusion. In addition, the security alert shared recommendations and mitigation measures that should be followed by organizations worldwide.