The National Security Agency (NSA) joins the Federal Bureau of Investigation (FBI), the United States Cyber Command’s Cyber National Mission Force (CNMF), and the United Kingdom National Cyber Security Centre (NCSC) to warn network defenders about ongoing Russian Federation Foreign Intelligence Service (SVR) cyber threats and to recommend rapid countermeasures for security patching and mitigating systems.
According to the CSA, SVR cyber actors are using a range of tactics, techniques, and procedures (TTPs) including, but not limited to, spearphishing, password spraying, abuse of supply chain and trusted relationships, custom and bespoke malware, cloud exploitation, and living off the land techniques. They gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. They often conceal their activity using Tor, leased and compromised infrastructure, and proxies.
To disrupt this activity, the report’s authors recommend baselining authorized devices and scrutinizing systems accessing their networks that do not adhere to the baseline, among other mitigations.
Since 2021, the SVR actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), the Dukes, and Cozy Bear – have consistently targeted U.S., European, and global entities in the defense, technology, and finance sectors. Their intent is to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine.
A CSA published in April 2021, “Russian SVR Targets U.S. and Allied Networks,” highlighted the SVR’s exploitation of CVEs for initial access. Since then, SVR cyber actors have exploited vulnerabilities at a mass scale to target victims worldwide across many sectors. A CSA released in February 2024, “SVR Cyber Actors Adapt Tactics for Initial Cloud Access,” highlighted additional information on the exploitation of cloud environments and the use of proxies.
The joint Cybersecurity Advisory (CSA), “Update on SVR Cyber Operations and Vulnerability Exploitation,” highlights how Russian SVR cyber actors are currently exploiting a set of software vulnerabilities and have intentions to exploit additional vulnerabilities. It provides a detailed list of publicly disclosed common vulnerabilities and exposures (CVEs) and a list of mitigations to improve cybersecurity posture based on the SVR cyber actors’ operations.
“This activity is a global threat to the government and private sectors and requires thorough review of security controls, including prioritizing patches and keeping software up to date,” said Dave Luber, NSA’s Cybersecurity Director. “Our updated guidance will help network defenders detect these intrusions and ensure they are taking steps to secure their systems.”