NCSC warns organizations of cyber threat from Russian Foreign Intelligence
Attackers linked to the Russian government are exploiting unpatched vulnerabilities, say UK and US security agencies
The National Cyber Security Centre (NCSC) is warning organizations to buckle up for online attacks by Russia's Foreign Intelligence Service (SVR).
More than 20 publicly disclosed vulnerabilities have been listed in a joint advisory of US security agencies. These, it believes, can be exploited by the hacking group, APT29, also known as Midnight Blizzard, the Dukes, and Cozy Bear.
The group has been targeting US, European, and global organizations since at least 2021, primarily focusing on the defense, technology, and finance sectors.
It's best known for the 2019 supply chain compromise of SolarWinds, which hit more than 18,000 companies, as well as the targeting of organizations involved in the development of the COVID-19 vaccine in 2020.
The current aim of the group, says the NCSC, is to collect foreign intelligence to support future cyber campaigns, including operations in support of Russia's ongoing invasion of Ukraine.
Some of the techniques used by the group include spear-phishing, password spraying, abuse of supply chain and trusted relationships, custom and bespoke malware, cloud exploitation, and living off the land.
The victims fall into two types. The first, 'targets of intent', includes government and diplomatic bodies, think tanks, technology companies, and financial institutions around the world, including in the UK.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Targets of opportunity, meanwhile, are acquired by scanning internet-facing systems for unpatched vulnerabilities at scale, which are then opportunistically exploited. And this, the NCSC points out, means that any organization with vulnerable systems could be targeted.
In both cases, follow-up operations are likely, say the agencies, as the attackers escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. They often conceal their activity using Tor, leased, and compromised infrastructure and proxies.
"Russian cyber actors are interested in and highly capable of accessing unpatched systems across a range of sectors, and once they are in, they can exploit this access to meet their objectives," said NCSC director of operations Paul Chichester.
"All organizations are encouraged to bolster their cyber defenses: take heed of the advice set out within the advisory and prioritize the deployment of patches and software updates."
The advisory lists the 20-odd publicly disclosed common vulnerabilities and exposures (CVEs) concerned, along with recommended mitigations, including baselining authorized devices and scrutinizing any systems accessing an organization's networks that don't adhere to the baseline.
"This activity is a global threat to the government and private sectors and requires a thorough review of security controls, including prioritizing patches and keeping software up to date," said Dave Luber, cybersecurity director of the US National Security Agency (NSA).
"Our updated guidance will help network defenders detect these intrusions and ensure they are taking steps to secure their systems."
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.