The UK’s National Cyber Security Centre (NCSC), alongside partners at the US’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, has published a new advisory detailing techniques, tactics, and procedures (TTP) being used by the Russian intelligence-linked APT29 group,. The advisory covers several TTP that the agencies understand the SVR – Russia’s foreign intelligence agency – to use and builds on the UK’s and the US’s , as well as warnings issued last year over its use of against organizations working on Covid-19 vaccines.
“The SVR is Russia’s civilian foreign intelligence service,” said the NCSC. “The group uses various tools and techniques to predominantly target overseas governmental, diplomatic, think-tank, healthcare and energyfor intelligence gain. The SVR is a technologically sophisticated and competent cyber actor. It has , including in the UK, the US, Europe, Nato member states, and Russia’s neighbors.”
In the wake of last summer’sresearch, Cozy Bear now seems to have pivoted to using several new TTP, in a likely attempt to avoid further detection and remediation, said the NCSC. Among other things, the group has enthusiastically used , an open-source, cross-platform adversary simulation/red team platform. The use of the Sliver framework was likely an attempt to ensure access to a was maintained following the exposure of those capabilities,” said the NCSC. “As observed with the , SVR operators often used separate command and control infrastructure for each victim of Sliver.”
It is also more frequently – and quickly – making use of newly disclosed vulnerabilities. Western intelligence now believes Cozy Bear is among the groups exploiting the widely reported and dangerousvulnerabilities. It has also been spotted exploiting common vulnerabilities in products from Fortinet, Cisco, Oracle, Zimbra, Pulse Secure, Citrix, Kibana, and F5 Networks – some of which date .
The NCSC said the group’s recent actions demonstrate that managing and applyingas a priority would vastly help to reduce the attack surface that Cozy Bear can take advantage of.
It also reiterated its general advice that despite the complex and hard-to-spot nature ofattacks (such as the SolarWinds incident), following basic cyber security principles, implementing network security controls, and effectively managing user privileges will help to arrest lateral movement between hosts should an actor such as Cozy Bear make it onto an organization’s network, and limit the effectiveness of its attacks.