The US agencies FBI and NSA and the NCSC in the UK released a report last May warning that groups linked to the Russian Federation's intelligence Service (SVR) are carrying out new and dangerous cyber attacks, changing their usual tactics, techniques and procedures (TTPs).
The report, entitled Further TTPs associated with SVR cyber actors, provides details of these new TTPs, cites the groups associated with Russia (APT29, Cozy Bear and Dukes) and holds them responsible for recent major cyber attacks. It claims that the SVR uses a variety of tools and techniques against foreign government, diplomatic, health and energy targets to obtain intelligence. It also warns that they are highly sophisticated and have sufficient capabilities to harm states, MSPs, and organizations around the world.
Gaining access through vulnerabilities and the supply chain
Analysts note that SVR primarily uses two techniques to gain access to systems recognized in the MITRE ATT&CK Matrix that classifies TTPs:
However, the report also highlights the importance of targeting the supply chain for these actors. These cyber attacks have given SVR access to many organizations. The highest-profile attack of this nature was Sunburst: a massive cyber attack that affected the SolarWinds corporate network management software used by hundreds of big corporations such as Microsoft, Intel, Cisco and SAP.
Cobalt Strike and Sliver
Agency analysts point out that, on multiple occasions, SVR-linked groups have used Cobalt Strike, a command and control (C&C) program that allows all sorts of operations within systems once they have gained initial access through the techniques described above.
With regard to SolarWinds, forensic analysis at one of the organizations that fell victim to the attack showed that the hackers used GoldFinder GoldMax and Sibot malware, which were deployed for backdoor functions and as loaders.
But they emphasize that these cyber actors have used the Sliver platform the most, which is another tool for simulation and Red Team practices that supports a wide variety of Commands and Control mechanisms once the system has been broken into. It’s striking that for each large organization targeted through Sliver, hackers have used different infrastructures, such as the systems where they operate from, possibly to make it more difficult to track them and to maintain their control over the systems they hit for longer.
Upgrades and Zero-Trust for MSPs and their customers
As we have seen, the report shows that these cyber-criminal groups use highly advanced techniques and procedures and therefore pose a significant threat to service providers and their customers. However, MSPs can reduce the risks of cyber attacks and intrusion into organizations if they apply good practices and have the right tools in place:
- First, since the techniques they use to gain initial access exploit vulnerabilities in systems and software, ensuring the latest updates and patches for all of them are in place is key to minimize these risks.
- Second, supply chain cyber attacks highlight that any software, no matter how legitimate it may seem, can be an entry vector for malware. This means that MSPs must implement tools that start from a premise of total distrust until they are 100% proven to be secure.
In this respect, WatchGuard's endpoint security solutions provide an effective response for MSPs, as they reduce and mitigate risks such as those shown in the SVR report, both for the organization and for its customers. In addition to comprehensive EPDR protection, they are based on a "Zero-Trust" approach through their free Zero-Trust Application Service, which means every binary is pre-analyzed before it is executed. Moreover, these solutions are integrated into the unified cybersecurity platform in the WatchGuard Cloud, which offers simple end-to-end management for MSPs.