FBI/DHS Issue Guidance for Network Defenders to Mitigate Russian Gov Hacking

The FBI and DHS have issued a Joint Cybersecurity Advisory on the threat posed by the Russian Foreign Intelligence Service (SVR) via the cyber actor known as APT 29 (aka the Dukes, Cozy Bear, Yttrium and CozyDuke).


This advisory primarily looks at the threats posed by APT 29, the evolution of its methods, and best practices to defend against the actor. It should be read in conjunction with, and as a supplement to, a separate advisory published earlier this month by the NSA, CISA and the FBI. The earlier advisory examined current vulnerabilities used by APT 29, and mitigations that can be employed against that use.


The new advisory, provides “information on the SVR’s cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks.” Noticeably, the advisory uses the term SVR and APT 29 indistinguishably throughout, indicating that it sees no difference between the cyber actor and the Russian intelligence agency.


The advisory highlights the primary attack methods used by APT 29, discusses tradecraft similarities to SolarWinds-enabled intrusions, and provides general APT 29 tradecraft observations.


In 2018, SVR compromised a major network by using low and slow password spraying until they found an administrative account that did not require MFA authentication. Through this, the SVR modified target email account permissions to allow any authenticated network user to read the accounts.


“During the period of their access,” says the advisory, “the actors consistently logged into the administrative account to modify account permissions, including removing their access to accounts presumed to no longer be of interest, or adding permissions to additional accounts.”


In another incident, SVR exploited ..

Support the originator by clicking the read the rest link below.