Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



FBI/DHS Issue Guidance for Network Defenders to Mitigate Russian Gov Hacking

The FBI and DHS have issued a Joint Cybersecurity Advisory on the threat posed by the Russian Foreign Intelligence Service (SVR) via the cyber actor known as APT 29 (aka the Dukes, Cozy Bear, Yttrium and CozyDuke).

The FBI and DHS have issued a Joint Cybersecurity Advisory on the threat posed by the Russian Foreign Intelligence Service (SVR) via the cyber actor known as APT 29 (aka the Dukes, Cozy Bear, Yttrium and CozyDuke).

This advisory primarily looks at the threats posed by APT 29, the evolution of its methods, and best practices to defend against the actor. It should be read in conjunction with, and as a supplement to, a separate advisory published earlier this month by the NSA, CISA and the FBI. The earlier advisory examined current vulnerabilities used by APT 29, and mitigations that can be employed against that use.

The new advisory, provides “information on the SVR’s cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks.” Noticeably, the advisory uses the term SVR and APT 29 indistinguishably throughout, indicating that it sees no difference between the cyber actor and the Russian intelligence agency.

The advisory highlights the primary attack methods used by APT 29, discusses tradecraft similarities to SolarWinds-enabled intrusions, and provides general APT 29 tradecraft observations.

In 2018, SVR compromised a major network by using low and slow password spraying until they found an administrative account that did not require MFA authentication. Through this, the SVR modified target email account permissions to allow any authenticated network user to read the accounts.

“During the period of their access,” says the advisory, “the actors consistently logged into the administrative account to modify account permissions, including removing their access to accounts presumed to no longer be of interest, or adding permissions to additional accounts.”

In another incident, SVR exploited CVE-2019-19781 – at that time a zero-day vulnerability – to compromise a VPN device and obtain network access. “Following exploitation of the device in a way that exposed user credentials,” notes the advisory, “the actors identified and authenticated to systems on the network using the exposed credentials… in line with information of interest to a foreign intelligence service.”

In 2020, the governments of the U.S., UK, and Canada all attributed intrusions perpetrated using malware known as WELLMESS and targeting Covid-19 vaccine developers, to APT 29. The FBI’s investigation was that SVR was using unpatched publicly known vulnerabilities to access the target networks. Once this was achieved, the attacker focused on the victim’s vaccine research repository and Active Directory servers.

Advertisement. Scroll to continue reading.

“These intrusions, which mostly relied on targeting on-premises network resources,” warns the advisory, “were a departure from historic tradecraft, and likely indicate new ways the actors are evolving in the virtual environment.”

The FBI and DHS do not explicitly specify within the advisory that SVR was responsible for the SolarWinds compromise of Orion, but do say that use of that compromise against other targets “indicate similar post-infection tradecraft with other SVR-sponsored intrusions.” In particular, this involves obtaining access to email accounts – especially those associated with IT staff – “to collect useful information about the victim networks, determine if victims had detected the intrusions, and evade eviction actions.”

These examples indicate that a primary intention for the SVR is intelligence gathering, as befits a foreign intelligence agency. While the actor may not directly seek to damage the networks it compromises, the information it gathers may be used offensively – as seen, for example, in the use of data stolen from the Democratic National Committee (DNC) by APT 29 in 2016 prior to the presidential election that year. Other offensive uses for stolen data would depend on the nature of the data stolen.

Related: Continuous Updates: Everything You Need to Know About the SolarWinds Attack

Related: Russian Hackers Silently Hit Government Targets for Years

Related: Kremlin Denies UK Claims of Vote Meddling, Vaccine Hacking

Related: What’s GRU? A Look at Russia’s Shadowy Military Spies

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.