Russia-linked APT29 group changes TTPs following April advisories

The UK and US cybersecurity agencies have published a report detailing techniques used by Russia-linked cyberespionage group known APT29 (aka Cozy Bear).

Today, UK NCSC and CISA-FBI-NSA cybersecurity agencies published a joint security advisory that warns organizations to patch systems immediately to mitigate the risk of attacks conducted by Russia-linked SVR group (aka APT29, Cozy Bear, and The Dukes)). The joint report states that the cyberspies have already changed targets following the April advisories.

The NCSC, NSA, CISA, and CSE have previously issued a joint report regarding the group’s campaigns aimed at organizations involved in COVID-19 vaccine development throughout 2020 using WellMess and WellMail malware. The news joint repost, speculate the SVR has reacted to the report by changing their TTPs. These changes reported by the government experts include the deployment of the open-source tool Sliver to gain persistence on the compromised infrastructure and the use of multiple vulnerabilities, including Microsoft Exchange ProxyLogon vulnerability CVE-2021-26855.

“SVR cyber operators appear to have reacted to this report by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders.” states the report.SVR cyber operators appear to have
reacted to this report by changing their
TTPs in an attempt to avoid further
detection and remediation efforts by
network defenders.

Below the full list vulnerabilities exploited by Russian SVR in multiple attacks:

• CVE-2018-13379 FortiGate
• CVE-2019-1653 Cisco router
• CVE-2019-2725 Oracle WebLogic Server
• CVE-2019-9670 Zimbra
• CVE-2019-11510 Pulse Secure
• CVE-2019-19781 Citrix
• CVE-2019-7609 Kibana
• CVE-2020-4006 VMWare
• CVE-2020-5902 F5 Big-IP
• CVE-2020-14882 Oracle WebLogic
• CVE-2021-21972 VMWare vSphere

Clearly, the above list should not be treated as exhaustive. According to the advisory, APT29 targets organizations that align with Russian foreign intelligence interests. The list of targets includes governmental, think-tank, policy and energy targets, and organizations involved in the development of the COVID19 vaccine.

The report includes mitigation advice, along with Snort and YARA rules that could be used by organizations to detect and defend against attacks conducted by the Russian SVR cyberspies.

US CISA also published details about Russian SVR activities related to SolarWinds compromise which include mitigation strategies.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT29)

[adrotate banner=”5″]

[adrotate banner=”13″]