Security Bodies Issue Joint Advisory to Expose Tactics by Russian Cyber Actors

The National Security Agency has released a joint advisory with three other agencies detailing how cyber actors associated with the Russian Foreign Intelligence Service, or SVR, continue to exploit victim networks. 

The advisory, titled “Further TTPs associated with SVR cyber actors,” included input from the U.K. National Cyber Security Centre, the Cybersecurity and Infrastructure Security Agency and the FBI, the NSA said.  

It highlights additional tactics, techniques and procedures used by SVR actors. 

The agencies cautioned that the cyber actors continue to exploit publicly known vulnerabilities. In the past, they have taken advantage of common vulnerabilities and exposures linked to products developed by Fortinet, Cisco, Oracle, Citrix and VMware.  

More recently, SVR actors were found to be responsible for the SolarWinds hack. The advisory noted that supply chain attacks like the SolarWinds incident give actors initial access to a large number of organizations, which they can narrow down to a smaller number of victims for follow-on compromise activity.

In addition, the document noted that SVR actors are often able to acquire further network information and access by targeting mailbox administrators. The approach enables them to gain a better understanding of their target network and obtain further privileges or credentials.

As an example, the advisory highlighted how a previous cyber actor searched for authentication credentials in mailboxes, including passwords and PKI keys.

SVR actors were also discovered to be using malware command and control tools such as the open-source tool Sliver. 

To combat the threats posed by the cyber actors, the agencies advised network defenders to prioritize patching and to further protect their networks against nation-state exploitation.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now