The UK’s National Cyber Security Centre (NCSC), alongside partners at the US’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, have published a new advisory detailing techniques, tactics, and procedures (TTP) being used by the Russian intelligence-linked APT29 group, aka Cozy Bear.
The advisory covers several TTP that the agencies understand the SVR – Russia’s foreign intelligence agency – to use and builds on the UK’s and the US’s recent attribution of the large-scale SolarWinds-linked attacks, as well as warnings issued last year over its use of two new malware, wellness and WellMail, against organizations working on Covid-19 vaccines.
“The SVR is Russia’s civilian foreign intelligence service,” said the NCSC. “The group uses various tools and techniques to predominantly target overseas governmental, diplomatic, think-tank, healthcare and energy targets globally for intelligence gain.
“The SVR is a technologically sophisticated and competent cyber actor. It has developed capabilities to target organizations globally, including in the UK, the US, Europe, Nato member states, and Russia’s neighbors.”
In the wake of last summer’s report on its targeting of vaccine research, Cozy Bear now seems to have pivoted to using several new TTP, in a likely attempt to avoid further detection and remediation, said the NCSC. Among other things, the group has enthusiastically used Sliver, an open-source, cross-platform adversary simulation/red team platform.
“The use of the Sliver framework was likely an attempt to ensure access to a number of the existing wellness and WellMail victims was maintained following the exposure of those capabilities,” said the NCSC. “As observed with the SolarWinds incidents, SVR operators often used separate command and control infrastructure for each victim of Sliver.”
It is also more frequently – and quickly – making use of newly disclosed vulnerabilities. Western intelligence now believes Cozy Bear is among the groups exploiting the widely reported and dangerous Microsoft Exchange Server ProxyLogon vulnerabilities. It has also been spotted exploiting common vulnerabilities in products from Fortinet, Cisco, Oracle, Zimbra, Pulse Secure, Citrix, Kibana, and F5 Networks – some of which date back more than three years.
The NCSC said the group’s recent actions clearly demonstrate that managing and applying security updates as a priority would vastly help to reduce the attack surface that Cozy Bear can take advantage of.
It also reiterated its general advice that despite the complex and hard-to-spot nature of supply chain attacks (such as the SolarWinds incident), following basic cyber security principles, implementing network security controls, and effectively managing user privileges will help to arrest lateral movement between hosts should an actor such as Cozy Bear make it onto an organization’s network, and limit the effectiveness of its attacks.