Russian hackers are still launching offensive cyber attacks against the US and its allies in efforts to steal information or lay the foundations for future operations, a joint alert by security and intelligence agencies has warned.
The advisory from the FBI, Department of Homeland Security and CISA warns that the Russian Foreign Intelligence Service (SVR) – also known by cybersecurity researchers as APT 29, the Dukes and CozyBear – continues to focus on organisations in efforts to gather important information.
US agencies with the UK’s National Cyber Security Centre (NCSC) – recently blamed the SVR for the SolarWinds supply chain attack.
And now organizations are being warned that Russian cyber attacks show no signs of stopping, especially when it involves targeting the networks of organizations involved with government, and information technology.
Cloud services including email and Microsoft Office 365 are being particularly targeted in attacks.
“Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,” according to the agency alert.
The alert explained common techniques used in SVR operations, including password spraying, leveraging zero-day vulnerabilities and deploying malware.
Password spraying is when the attackers target weak or too easy passwords associated with admin accounts. These accounts are secured with common passwords, including default usernames and passwords, giving cyber attackers the ability of gaining access to poorly secured networks.
To defend against password spraying attacks, the FBI and DHS recommend the enabling multi-factor authentication across the network and to where possible, enforce the use of strong or complex password.
Another common technique is levering vulnerabilities in virtual private network (VPN) appliances which expose login credentials.
The FBI, DoH and CISA also warn about attacks using WellMess – a form of custom malware associated with APT 29, which has been used in attacks targeting Covid-19 vaccine research facilities. While stolen RDP credentials have been used to help install the malware, it’s also been known for attackers to attempt to distribute it via spear-phishing emails.
This alert encourages organizations to examine their networks and gain a better understanding of how to secure against attacks.