The latest advisory warns organisations that hackers do not seem to back down.
(Subscribe to our Today’s Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
Russian hackers are still targeting U.S. and foreign entities to gather intelligence for future cyberattacks, the US security and intelligence agencies warned.
In a Joint Cybersecurity Advisory, the Federal Bureau of Investigation (FBI), Department of Homeland Security, and CISA noted that Russian Foreign Intelligence Service (SVR) cyber actors primarily target government networks, think tanks, policy analysis organizations, and information technology companies.
U.S. agencies and the U.K.’s National Cyber Security Centre blamed SVR for the SolarWinds supply chain attack that allowed hackers to gain access to thousands of organisations around the world along with many government agencies.
FBI said that beginning in 2018, the SVR shifted from using malware on victim networks to targeting cloud resources, mainly e-mail, to obtain information. It further said that exploitation of Microsoft Office 365 environments during SolarWinds attack reflects this continuing trend.
“Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,” the advisory stated.
Also Read: ‘Russian link to hacking in United States’
The latest advisory warns organisations that hackers do not seem to back down. It also provides details of SVR Cyber Operations tactics, techniques, and procedures.
One of the techniques SVR uses is password spraying, meaning attacking weak password associated with an administrative account. Threat actors attempted a small number of passwords at infrequent intervals to avoid detection. To defend from this technique, the FBI and DHS recommend use of multi-factor authentication and use of strong passwords. Besides, it urged network operators to prohibit remote access to administrative functions and resources from IP addresses and systems not owned by the organization.
Another method used by hackers is a zero-day exploit against a virtual private network (VPN) appliance to obtain network access. The agencies also warned about WELLMESS Malware, a malware written in the Go programming language and used to target COVID-19 vaccine development.
FBI also noted that infrastructure used in the intrusions is obtained using false identities and cryptocurrencies. The alert by agencies has been released for organizations to conduct investigations and secure their networks. CISA also encouraged users to administrators to implement and recommend mitigations.