Russian operations targeting cloud and email, advisory warns
- By Justin Katz
- Apr 27, 2021
The Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency and the FBI on Monday issued a new advisory describing ways to counter tactics and techniques used by Russia’s SVR foreign intelligence service, the attackers behind the intrusion involving SolarWinds.
The advisory describes how the agencies noticed the SVR shift its tactics from using malware to targeting the cloud and email servers as a way to gather information, which was done when exploiting SolarWinds software and flaws in Microsoft Office 365.
“Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations,” according to the advisory.
Few SolarWinds victim organizations were able to identify the initial access vector, but some were able to correlate different alerts to identify unauthorized activity, the advisory states: “The FBI and DHS believe those indicators, coupled with stronger network segmentation (particularly ‘zero trust’ architectures or limited trust between identity providers) and log correlation, can enable network defenders to identify suspicious activity requiring additional investigation.”
The advisory also describes the SVR’s leveraging of zero-day vulnerabilities, the use of password-spraying exploits and the “WELLMESS” malware that targeted COVID-19 vaccine development
“These intrusions, which mostly relied on targeting on-premises network resources, were a departure from historic tradecraft, and likely indicate new ways the actors are evolving in the virtual environment,” the advisory says of a 2020 WELLMESS attack on the governments of the U.S., Canada and United Kingdom.
To prohibit misuse of their services, the FBI and DHS are recommending service providers strengthen their user validation and verification systems.
This article first appeared on FCW, a Defense Systems partner site.
Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.