Homeland Security Alert Describes Russia Cyberattack Tactics
A recent alert (AA21-116A) issued by federal law enforcement, the Department of Homeland Security (DHS) and the agency’s cyber wing is intended to forearm U.S. IT companies, government entities, researchers and policy makers on the primary tactics Russian-backed hacking crews are using to hijack critical intelligence.
The bulletin comes roughly two weeks after a separate advisory warned of ongoing Russian Foreign Intelligence Service’s (SVR) exploitation of five publicly known vulnerabilities that also included the U.S. government’s formally fingering Russia as orchestrating and carrying out the SolarWinds Orion cyber supply chain attack and spying campaign. This dispatch takes it a bit farther, offering up actionable material on the SVR’s cyber tools, targets, techniques, and capabilities to help organizations secure their networks.
SVR cyber actors, also known as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium, use a “range of initial exploitation techniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks,” the warning, jointly issued by the Federal Bureau of Investigation (FBI), DHS and the Cybersecurity Infrastructure Security Agency (CISA), said.
How Russia-Led Cyberattacks Allegedly Work
Here are SVR’s go-to tactics, techniques and procedures (TTP) along with protective measures organizations can employ:
TTP: Password spraying to identify a weak password in an administrative account.
- Mandatory use of an approved multi-factor authentication solution for all users from both on premises and remote locations.
- Prohibit remote access to administrative functions and resources from IP addresses and systems not owned by the organization.
- Regular audits of mailbox settings, account permissions, and mail forwarding rules for evidence of unauthorized changes.
- Enforce the use of strong passwords and prevent the use of easily guessed or commonly used passwords through technical means, especially for administrative accounts.
- Regularly review the organization’s password management program.
- Ensure the organization’s IT support team has well-documented standard operating procedures for password resets of user account lockouts.
- Maintain a regular cadence of security awareness training for all company employees.
TTP: Leveraging zero-day vulnerability to obtain network access and expose user credentials.
- Monitor the network for evidence of encoded PowerShell commands and execution of network scanning tools, such as NMAP.
- Ensure host based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or reporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of time.
- Require use of multi-factor authentication to access internal systems.
- Immediately configure newly-added systems to the network, including those used for testing or development work, to follow the organization’s security baseline and incorporate into enterprise monitoring tools.
TTP: Implanting Wellness malware on Covid-19 vaccine development facilities through compromising trusted software.
- Audit log files to identify attempts to access privileged certificates and creation of fake identify providers.
- Deploy software to identify suspicious behavior on systems, including the execution of encoded PowerShell.
- Deploy endpoint protection systems with the ability to monitor for behavioral indicators of compromise.
- Use available public resources to identify credential abuse within cloud environments.
- Configure authentication mechanisms to confirm certain user activities on systems, including registering new devices.