Russian Foreign Intelligence Service Accused of Targeting the U.S. and Allied Digital Networks
On Thursday, April 15th, the United States National Security Agency (N.S.A.), Federal Bureau of Investigation (F.B.I.), and Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement outlining evidence of cyber-attacks being carried out by the Russian Foreign Intelligence Service (which is known by the acronym S.V.R.). The full text of the federal cybersecurity advisory is available here and outlines that Russian Foreign Intelligence Service (S.V.R.) actors known as APT29, Cozy Bear, and The Dukes have been implicated in cyberattacks against five previously unknown vulnerabilities:
- CVE-2018-13379 Fortinet®
- CVE-2019-9670 Zimbra®
- CVE-2019-11510 Pulse Secure®
- CVE-2019-19781 Citrix®
- CVE-2020-4006 VMware®
Recommended Mitigation Procedures to Counter this Cyber Threat EventDue to the scope and complexity of this current cyber threat event, the N.S.A., CISA, and F.B.I. recommend immediate actions to mitigate the impact of these attacks. Failure to mitigate these issues poses unique cybersecurity challenges that elevate national security issues because sensitive data related to U.S. policies, strategies, plans, ongoing operations, and competitive advantages are exposed. The specific techniques utilized in this current threat event include:
- Exploiting public-facing applications (T11902)
- Leveraging external remote services (T1133)
- Compromising supply chains (T1195)
- Using valid accounts (T1078)
- Exploiting software for credential access (T1212)
- Forging web credentials: SAML tokens (T1606.002)
- Update systems and products as soon as possible after patches are released.
- Assume a breach will happen; review accounts and leverage the latest eviction guidance available.
- Disable external management capabilities and set up an out-of-band management network.
- Block obsolete or unused protocols at the network edge and disable them in client device configurations.
- Reduce exposure of the local network by separating internet-facing services into a small, isolated network.
- Enable robust logging of internet-facing services and authentication functions. Continuously hunt for signs of compromise or credential misuse, particularly in cloud environments.
- Adopt a mindset that compromise happens: Prepare for incident response activities.