FORT MEADE, Md. – The National Security Agency (NSA) has joined forces with multiple agencies, including the Federal Bureau of Investigation (FBI), the United States Cyber Command’s Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC), to issue a warning about ongoing cyber threats from the Russian Federation’s Foreign Intelligence Service (SVR). This alert emphasizes the need for swift action regarding security patching and system mitigation.
The new Cybersecurity Advisory (CSA) titled "Update on SVR Cyber Operations and Vulnerability Exploitation" sheds light on how SVR actors are actively exploiting a range of software vulnerabilities. The advisory includes a comprehensive list of publicly acknowledged common vulnerabilities and exposures (CVEs) alongside recommendations for improving an organization’s cybersecurity posture.
"Update on SVR Cyber Operations and Vulnerability Exploitation"
"This activity is a global threat to the government and private sectors and requires thorough review of security controls, including prioritizing patches and keeping software up to date," said Dave Luber, NSA’s Cybersecurity Director. He emphasized that the updated guidance aims to aid network defenders in detecting breaches and enhancing their security measures.
"This activity is a global threat to the government and private sectors and requires thorough review of security controls, including prioritizing patches and keeping software up to date,"
The CSA details various tactics, techniques, and procedures (TTPs) utilized by the SVR. These include spearphishing, password spraying, manipulation of supply chains, custom malware, and living off the land techniques which allow cybercriminals to exploit existing systems for their malicious activities. These actors are known to infiltrate networks, elevate their privileges, move through systems, maintain a foothold in victim environments, and exfiltrate sensitive information, often hiding their activities through methods such as Tor, compromised infrastructure, and proxies.
To effectively counter these methods, the advisory recommends establishing a baseline for authorized devices and scrutinizing systems that fail to comply with this baseline. This is crucial for identifying unauthorized access and potential breaches.
Looking Ahead
Since 2021, the SVR actors, also identified by names like APT29, Midnight Blizzard, the Dukes, and Cozy Bear, have consistently targeted U.S. and European organizations, particularly those in the defense, technology, and finance sectors. Their primary goal is to gather foreign intelligence and support future cyber operations — one of which includes the ongoing conflict in Ukraine.
Impact and Legacy
A previous CSA released in April 2021, titled "Russian SVR Targets U.S. and Allied Networks," illustrated the SVR’s reliance on exploiting CVEs for initial system access. Since that time, SVR cyber actors have expanded their strategies, exploiting vulnerabilities en masse to impact a broad range of victims globally.
Moreover, a CSA from February 2024, “SVR Cyber Actors Adapt Tactics for Initial Cloud Access,” provided additional insights regarding the usage of cloud environments and the employment of proxies, underlining the evolving nature of these cyber threats.
With cyber threats continuously changing and intensifying, the NSA’s updated guidance comes at a crucial time, providing vital insights that organizations can use to strengthen their cybersecurity defenses. Ensuring that security patches are promptly applied and that software is constantly updated is vital to mitigating risks associated with these persistent threats.
As the cyber landscape evolves, vigilance and proactive measures will remain key in safeguarding national and international interests against sophisticated adversaries.
