In a new advisory, the National Cyber Security Centre (NCSC) – part of GCHQ – and agencies in the United States have shared the latest tactics being used by Russia’s Foreign Intelligence Service (SVR).
The NCSC is seeking to help organisations protect themselves from SVR actors seeking to collect foreign intelligence for future cyber operations, including in support of Russia’s ongoing invasion of Ukraine.
The advisory warns the SVR attackers are exploiting vulnerabilities at a mass scale as part of a continued global campaign and more than 20 publicly disclosed vulnerabilities have been shared which the threat actors are assessed to have the capability and interest to exploit.
The SVR cyber actors, also known as APT29, generally have two types of intended victims: targets of intent and targets of opportunity.
Targets of intent include government and diplomatic entities, think tanks, technology companies, and financial institutions across the globe, including in the UK.
Targets of opportunity are located by scanning internet-facing systems for unpatched vulnerabilities at scale which are then opportunistically exploited – meaning any organisation with vulnerable systems could be targeted.
For both sets of victims, once initial access has been achieved, the SVR cyber actors can then conduct follow-on operations from compromised accounts or attempt to pivot to other networks connected to the victim, such as in their supply chain.
“Russian cyber actors are interested in and highly capable of accessing unpatched systems across a range of sectors and once they are in, they can exploit this access to meet their objectives,” NCSC Director of Operations Paul Chichester said. “All organisations are encouraged to bolster their cyber defences: take heed of the advice set out within the advisory and prioritise the deployment of patches and software updates.”
Any UK organisations that may have been compromised through the vulnerabilities described in the advisory should report it to the NCSC.
Earlier this year, the NCSC exposed how malicious cyber actors linked to Russia’s SVR were adapting their techniques in response to the increasing shift to cloud-based infrastructure.
SVR cyber actors are commonly known for the supply chain compromise of SolarWinds and the targeting of organisations involved in the development of the COVID-19 vaccine.
The advisory has been jointly published by the NCSC, the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
To read more NCSC news, click here.
