The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory to provide information on cyber tools and techniques used by Russian Foreign Intelligence Service actors to compromise government networks, information technology companies and think tanks.
Russia’s SVR actors use password spraying, zero-day vulnerability and WELLNESS malware, among other techniques, to infiltrate networks, the agencies said Monday.
FBI also observed that SVR actors have transitioned from using malware to homing in on cloud-based platforms to gain access to data starting in 2018.
The agencies also suggest best practices that network operators can implement to protect IT systems from the identified techniques, such as mandating the use of an approved multifactor authentication for all users, performing regular audits of mailbox settings and account permissions, monitoring the network for evidence of encoded PowerShell commands and auditing log files to detect attempts to access privileged certificates.
“The FBI and DHS recommend service providers strengthen their user validation and verification systems to prohibit misuse of their services,” the advisory states.
In mid-April, CISA, FBI and the National Security Agency issued an advisory listing five network vulnerabilities used by SVR actors to compromise U.S. and allied government systems. The White House also issued a statement attributing the SolarWinds hack to SVR.