NSA, FBI, DHS expose Russian intelligence hacking tradecraft
The U.S. government warned the private sector Thursday that Russian government hackers working for Russia’s Foreign Intelligence Service (SVR) are actively exploiting five known vulnerabilities to target U.S. companies and the defense industrial base.
The National Security Agency, the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) urged system administrators to patch immediately against the vulnerabilities the hackers, also known at APT29 or Cozy Bear, are exploiting.
The SVR hackers are specifically actively exploiting vulnerabilities in Fortinet FortiGate VPN, Synacor Zimbra Collaboration Suite, Pulse Secure Pulse Connect Secure VPN, Citrix Application Delivery Controller and Gateway and VMware Workspace ONE Access to gain initial footholds into networks, the government said in its alert. The hackers have been using these initial footholds to collect victims’ authentication credentials to burrow further into networks.
The announcement coincides with the U.S. intelligence community’s formal attribution of the supply chain hack of federal contractor SolarWinds to SVR hackers. The intelligence community said it has high confidence in its attribution of the sweeping espionage operation, which has impacted approximately 100 companies and nine federal government agencies.
The U.S. government said it is issuing sanctions against six technology companies that have contributed to SVR’s cyber-operations and expelling 10 Russian officials, including intelligence officers, from the U.S. in connection with SolarWinds and other malicious activity targeting Americans.
The NSA released the information about Russia’s latest techniques to target American companies Thursday in order to throw up roadblocks for foreign hackers. The thinking is that if the NSA can expose foreign government hackers’ tradecraft or tooling, they will have to go back to the drawing board, the NSA’s newly minted cybersecurity director, Rob Joyce, told lawmakers Wednesday.
“We’re taking away the tools and capabilities of these adversaries,” Joyce said during testimony on Capitol Hill. “By exposing the implants and malware, they then lose that capability and they have to redevelop.”
The announcement about the vulnerabilities further explains the reasoning.
“Mitigation against these vulnerabilities is critically important as U.S. and allied networks are constantly scanned, targeted, and exploited by Russian state-sponsored cyber actors,” the government said. “NSA, CISA, and FBI strongly encourage all cybersecurity stakeholders to check their networks for indicators of compromise related to all five vulnerabilities and the techniques detailed in the advisory and to urgently implement associated mitigations.”
The NSA has previously exposed other Russian government malware used by hackers working for Russia’s General Staff Main Intelligence Directorate’s 85th Main Special Service Center, military unit 26165. As part of its broader effort to expose foreign hackers’ tradecraft, the NSA has also exposed how Chinese government-backed hackers were stealing passwords from defense contractors.