The UK’s National Cyber Security Centre (NCSC), alongside partners at the US’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have published a new advisory detailing techniques, tactics and procedures (TTPs) being used by the Russian intelligence-linked APT29 group, aka Cozy Bear.
The advisory covers a number of TTPs that the agencies understand the SVR – Russia’s foreign intelligence agency – to use, and builds on the UK’s and the US’s recent attribution of the large-scale SolarWinds-linked attacks, as well as warnings issued last year over its use of two new malwares, WellMess and WellMail, against organisations working on Covid-19 vaccines.
“The SVR is Russia’s civilian foreign intelligence service,” said the NCSC. “The group uses a variety of tools and techniques to predominantly target overseas governmental, diplomatic, think-tank, healthcare and energy targets globally for intelligence gain.
“The SVR is a technologically sophisticated and highly capable cyber actor. It has developed capabilities to target organisations globally, including in the UK, the US, Europe, Nato member states and Russia’s neighbours.”
In the wake of last summer’s report on its targeting of vaccine research, Cozy Bear now seems to have pivoted to using a number of new TTPs, in a likely attempt to avoid further detection and remediation, said the NCSC. Among other things, the group has enthusiastically taken up the use of Sliver, an open-source, cross-platform adversary simulation/red team platform.
“The use of the Sliver framework was likely an attempt to ensure access to a number of the existing WellMess and WellMail victims was maintained following the exposure of those capabilities,” said the NCSC. “As observed with the SolarWinds incidents, SVR operators often used separate command and control infrastructure for each victim of Sliver.”
It is also more frequently – and quickly – making use of newly disclosed vulnerabilities. Western intelligence now believes Cozy Bear is among the groups exploiting the widely reported and dangerous Microsoft Exchange Server ProxyLogon vulnerabilities. It has also been spotted exploiting common vulnerabilities in products from Fortinet, Cisco, Oracle, Zimbra, Pulse Secure, Citrix, Kibana and F5 Networks – some of which date back more than three years.
The NCSC said the group’s recent actions clearly demonstrate that managing and applying security updates as a priority would vastly help to reduce the attack surface that Cozy Bear can take advantage of.
It also reiterated its general advice that despite the complex and hard-to-spot nature of supply chain attacks (such as the SolarWinds incident), following basic cyber security principles, implementing network security controls and effectively managing user privileges will help to arrest lateral movement between hosts should an actor such as Cozy Bear make it onto an organisation’s network, and limit the effectiveness of its attacks.