The Federal Bureau of Investigation (FBI), Department of Homeland Security, and CISA have released a Joint Cybersecurity Advisory (CSA) addressing Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium—continued targeting of U.S and foreign entities. The SVR activity—which includes the recent SolarWinds Orion supply chain compromise—primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.

This CSA complements the CISA, FBI, and National Security Agency (NSA) Joint CSA: Russian SVR Targets U.S. and Allied Networks and provides tactics, tools, techniques, and capabilities to help organizations conduct investigations and secure their networks.

CISA is encouraging users and administrators to review Joint CSA AA21-116A: Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders and implement the recommended mitigations. For additional information on SVR-related activity, review the following resources:

This new advisories help organizations get a better picture about real-life operations of a sophisticated adversary, detailing how the attacks are carried out, explains Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software. "A well-established security operations would include strong passwords, require frequent changes of them plus additional 2FA when critical systems are involved. In the same way, vulnerabilities would be addressed and system integrity changes monitored. The good side of those frequent advisories is that they foster increased knowledge share. Still, there is a possible downside, the distraction from an overall approach to cybersecurity. Frequent advisories will lead to many questions from senior management and executive boards about the status of an organization in the light of those. Cybersecurity teams will be – at least – required to balance these request with their regular work."

Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "Organizations should pay attention to security recommendations and known tradecraft, as well as known exploited vulnerabilities, while also ensuring that affected software in the advisories is updated to current patched versions." 

Nikkel adds, "The information can certainly help any organization because it gives them a chance to update and vet their signatures, talk to their vendors, and think about how they might be targeted. The only downside to any published indicators is that these represent observed attacks and may lead to a false sense of security. Meanwhile, the adversary changes their tactics or signatures in this ongoing cat-and-mouse game."

Though the new advisories are not "saying anything new or not already known," everything outlined could be mitigated with good hygiene and hardening of systems, says Joseph Neumann, Cyber Executive Advisor at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services. "Organizations that are currently under attack are on the lower end of the maturity spectrum in their security posture. Basic things like enabling two-factor authentication on admin credentials, not allowing for remote logins from unknown IP addresses, or having a management VPN/backplane are common for any company with these tools. With the amount of time that has passed, most likely these adversaries have spread in the network and taken what they wanted or spread to another set of infrastructure." 

Neumann adds, "These advisories fall short of providing Indicators or Compromise, and just speak to the Tactics, Techniques and procedures. These are helpful to a degree that allows administrators and defenders to know where to start their initial looks, but fall short of giving them data that they can plug into security tools to begin immediate automated remediations and mitigations."