Russian hackers have adopted new cyber tactics, techniques and procedures for attacking targets in the U.S. and elsewhere after their earlier methods were exposed, several government agencies said Thursday.
Security agencies in the U.S. and United Kingdom issued a joint advisory warning about recent activity they have attributed to hackers acting on behalf of the Russian Foreign Intelligence Service, or SVR.
Known also by names including APT29 and Cozy Bears, the hackers recently began leveraging a vulnerability affecting Microsoft Exchange Server that became publicly known in March, the advisory said.
Additionally, the unclassified, 14-page advisory said the hackers were recently spotted using an open-source, command-and-control framework called Silver after gaining initial access to victim network.
The advisory was issued jointly by the FBI, U.S. National Security Agency (NSA), U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Centre (NCSC).
Previously, the NSCS and Canada’s Communications Security Establishment (CSE) issued a joint report in July 2020 outlining specific tactics, techniques and procedures (TTPs) used by the hacking group.
“SVR cyber operators appear to have reacted to this report by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,” the new advisory says in part.
The latest advisory, published online by the NSCS, contains mitigation advice and other guidance meant to safeguard computer systems against the state-sponsored hacking group and its evolving attacks.
Among the advice included in the report is that system administrators responsible for maintaining potentially targeted networks should promptly apply security updates to fix known vulnerabilities.
“SVR actors regularly make use of publicly known vulnerabilities (alongside complex supply chain attacks) to gain initial access onto target networks,” reports part of the advisory. “Managing and applying security updates as quickly as possible will help reduce the attack surface available for SVR actors, and force them to use higher equity tooling to gain a foothold in the networks.”
Specifically, the advisory says the SVR has been attempting to exploit a specific vulnerability affecting Microsoft Exchange Server, a popular email and calendar server, among other security bugs.
Microsoft disclosed the vulnerability months ago and made a security patch available. At the time, Microsoft said the vulnerability was being exploited by suspected Chinese state-sponsored hackers.
CISA subsequently issued an emergency directive ordering all civilian agencies to update any versions of the vulnerable Microsoft Exchange Service products immediately.
In addition to bugs in Microsoft Exchange Server, the joint advisory issued this week said SVR has sought to exploit known vulnerabilities in products from vendors including Cisco, Pulse and Oracle.
The advisory does not specify victims of the SVR campaign, but it notes the hackers commonly attack governmental, think-tank, policy and energy targets that align with Russian intelligence interests.
Previously, SVR was accused in the July 2020 report of targeting organizations involved with the development of vaccines to fight COVID-19, the contagious disease caused by the novel coronavirus.
“We find such accusations unacceptable,” Kremlin spokesman Dmitry Peskov said at the time. “We can say only one thing, Russia has nothing to do with these attempts.”