
From Altai To The Red Square
The Russian government engages in malicious cyber activities to enable broad-scope cyber espionage, to suppress certain social and political activity, to steal intellectual property, and to harm regional and international adversaries.
Indicators of Compromise
Domains (223)
autohaus-schreoter.infodisknxt.comcrochetnews.comautohaus-landharr.desantandbnkplc.turbocell.irauto-centers.eucar-place-rhienland.deweissner-tuning.deauto-viotel.deauto-falkanhahn.dewww.runblerx.comstairwell.comsatkas.waw.plwsuslink.combornagroup.iratlasautomobiles.deautohuas-e-c.decalacatta.comdatacentreonline.comautohous-lips.de+203 moreHashes (1121)
6a8f63c4491adcf2cf7f76cd1481c5647615a6c90bd379b94b5fd3926b205f90411144d2258fb30b182447ce6df9d7fbb2a2fffcd6e2c13c590f322324886e7ae4649cec7e85a352096455bcff89312a23376c7cba83e23ba7a2dfed111350de63e074c558cae566c50684971ea663303265d348bd8ecd7e17763bd2db4186ccea9b842a6a10f0c5dba3750007b2d21f4ef077ccf16935e44864b96fa039f2e88c73b518930b6048f6baad744ca1139b4b3839dedfa4a07a9a15066f883302581e1159cc859b0479866fb6a5391c1a5bbb54c97178eefb796a7d9f8261d47bf0882849ea7777ab00eca54341e1c3a6d31b8dba2e29020b505aee0b07a3ecf1fdc1206e9d3061530fa91775cf3d97f7882301507200f88d8ed1d1860c36bbf5347c47af1aa0137943995f841b37ead9d62e2d3c15e102761566b39f4fd1dd51c2f548330e5818f732dad0aa2826dac2aa173ae78e0edd736b067e99002d0d7814b3cee881b2f9d115c98d431b70a75709aade2317a82a0792c15dce2ffa892679f0b8eb09dfc66ec478239f47630f13c3b7f7f2bce0891e99a181c9b32ae46c01bdef7cc0+1101 moreIPv4 (1000)
91.132.139.195162.216.240.6136.95.23.89178.79.172.3545.76.155.71172.245.6.107172.105.102.24736.91.88.164216.189.145.11158.255.211.4031.42.177.78178.79.143.14927.102.114.55185.186.247.11494.130.130.43194.190.18.122156.96.46.116152.44.45.10185.193.127.92103.193.4.101+980 moreCVEs (25)
CVE-2021-26857CVE-2018-13379CVE-2020-4006CVE-2021-27065CVE-2021-40449CVE-2021-21972CVE-2019-0859CVE-2019-19781CVE-2019-1653CVE-2020-14882CVE-2021-26858CVE-2019-0797CVE-2021-26855CVE-2019-2725CVE-2021-28310CVE-2019-16098CVE-2018-19320CVE-2020-5902CVE-2016-3309CVE-2021-21551+5 moreAPT Groups
Energetic Bear
Russian Federation
Inception Framework
Russian Federation
UNC2452
Russian Federation
APT 29
Russian Federation
White Bear
Russian Federation
Notes
<h3 style=""><font><span style="color: var(--q-dark); letter-spacing: 0.00735em;">Russian Malicious Cyber Activity</span></font></h3><h4><font><br></font><p class="MsoCaption text-align-center" style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; text-align: center; color: rgb(51, 51, 51); letter-spacing: normal; break-after: avoid;"><em style="box-sizing: border-box;"><font>Table 1: CISA and Joint CISA Publications</font></em></p><table border="1" cellpadding="1" cellspacing="1" class="general-table" style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; color: rgb(51, 51, 51); font-size: 16px; letter-spacing: normal; width: 844.9px; height: 312px; margin-right: auto; margin-left: auto;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; background-color: rgb(241, 241, 241);"><th style="box-sizing: border-box; padding: 0px; text-align: left;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"><strong style="box-sizing: border-box;"><font>Publication Date</font></strong></p></th><th style="box-sizing: border-box; padding: 0px; text-align: left; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"><strong style="box-sizing: border-box;"><font>Title</font></strong></p></th><th style="box-sizing: border-box; padding: 0px; width: 630px;"><font>Description</font></th></tr></thead><tbody style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><b><font>April 20, 2022</font></b></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-110a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint Cybersecurity Advisory: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font>The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.</font></p><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"><font>This advisory provides an overview of Russian state-sponsored advanced persistent threat groups, Russian-aligned cyber threat groups, and Russian-aligned cybercrime groups to help the cybersecurity community protect against possible cyber threats.</font></p></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>March 24, 2022</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-083a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint Cybersecurity Advisory: Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font>This joint Cybersecurity Advisory—coauthored by CISA, the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE)—provides information on multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 and targeted U.S. and international Energy Sector organizations. CISA, the FBI, and DOE responded to these campaigns with appropriate action in and around the time that they occurred. CISA, the FBI, and DOE are sharing this information in order to highlight historical tactics, techniques, and procedures (TTPs) used by adversaries to target U.S. and international Energy Sector organizations.</font></p><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"><font>On March 24, 2022, the U.S. Department of Justice unsealed indictments of three Russian Federal Security Service (FSB) officers and a Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) employee for their involvement in intrusion campaigns against U.S. and international oil refineries, nuclear facilities, and energy companies.</font></p></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>March 15, 2022</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-074a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint Cybersecurity Advisory: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Advisory warns organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>February 23, 2022</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-054a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint Cybersecurity Advisory: New Sandworm Malware Cyclops Blink Replaces VPNFilter</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>In this Advisory, NCSC-UK, CISA, NSA and the FBI report that the malicious cyber actor known as Sandworm or Voodoo Bear is using new malware, referred to as Cyclops Blink. Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network-attached storage devices.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>February 16, 2022</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-047a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint Cybersecurity Advisory: Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. This Advisory provides detection and mitigation recommendations for CDCs to reduce the risk of data exfiltration by Russian state-sponsored actors.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>January 11, 2022</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-011a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint Cybersecurity Advisory: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Advisory provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. It is intended to help the cybersecurity community reduce the risk presented by these threats.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>July 20, 2021</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><font>ICS Advisory: <a href="https://us-cert.cisa.gov/ics/advisories/ICSA-14-178-01" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">ICSA-14-178-01: ICS Focused Malware – Havex</a></font></li><li style="box-sizing: border-box;"><font>ICS Alert: <a href="https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-281-01B" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">ICS-ALERT-14-281-01E: Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)</a></font></li><li style="box-sizing: border-box;"><font>ICS Alert: <a href="https://us-cert.cisa.gov/ics/alerts/IR-ALERT-H-16-056-01" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">IR-ALERT-H-16-056-01: Cyber-Attack Against Ukrainian Critical Infrastructure</a></font></li><li style="box-sizing: border-box;"><font>Technical Alert: <a href="https://us-cert.cisa.gov/ncas/alerts/TA17-163A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">TA17-163A: CrashOverride Malware</a></font></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>These previously published ICS advisories and alerts contain information on historical cyber-intrusion campaigns by Russian nation-state cyber actors.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>July 16, 2021</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint Cybersecurity Advisory: APT29 targets COVID-19 vaccine development</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"><font>This Advisory details recent Tactics, Techniques and Procedures (TTPs) of the group commonly known as ‘APT29’, also known as ‘the Dukes’ or ‘Cozy Bear’. It also provides indicators of compromise as well as detection and mitigation advice.</font></p></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>July 1, 2021</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Advisory details how the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) has targeted hundreds of U.S. and foreign organizations using brute force access to penetrate government and private sector victim networks. The advisory reveals the tactics, techniques, and procedures (TTPs) GTsSS actors used in their campaign to exploit targeted networks, access credentials, move laterally, and collect and exfiltrate data.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>May 14, 2021</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>CISA Analysis Report: Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Analysis Report provides guidance to federal agencies in crafting eviction plans in response to the SolarWinds Orion supply chain compromise. The guidance is intended for federal agencies with networks that used affected versions of SolarWinds Orion and have evidence of follow-on threat actor activity. Although this guidance is tailored to federal agencies, CISA encourages critical infrastructure entities; state, local, tribal, and territorial government organizations; and private sector organizations to review and apply it, as appropriate. <strong style="box-sizing: border-box;">Note: </strong>For more information on the SolarWinds Orion supply chain compromise, refer to the <a href="https://us-cert.cisa.gov/Remediating-APT-Compromised-Networks" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise</a> webpage.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>May 7, 2021</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint NCSC-CISA-FBI-NSA CSA: Further TTPs associated with SVR cyber actors</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Joint Cybersecurity Advisory (CSA) is on Russian SVR activities related to the SolarWinds Orion compromise. The CSA details SVR tactics, techniques, and procedures (TTPs) and on SVR-leveraged malware, including WELLMESS, WELLMAIL, GoldFinder, GoldMax, and possibly Sibot, as well as open-source Red Team command and control frameworks, Sliver and Cobalt Strike. <strong style="box-sizing: border-box;">Note: </strong>See <a href="https://us-cert.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Russian_SVR_Activities_Related_to_SolarWinds_Compromise_508C.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">FactSheet: Russian SVR Activities</a> for summaries of three key Joint CSAs that detail Russian SVR activities related to the SolarWinds compromise. For more information on the SolarWinds Orion supply chain compromise, refer to the <a href="https://us-cert.cisa.gov/Remediating-APT-Compromised-Networks" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise</a> webpage.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>April 26, 2021</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-116a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint FBI-DHS-CISA CSA: SVR Cyber Operations: Trends and Best Practices for Network Defenders</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Joint CSA is on Russian SVR activities related to the SolarWinds Orion compromise. The CSA provides information on SVR TTPs. Specifically, this CSA points out the FBI's observation that, starting in 2018, the SVR shifted from "using malware on victim networks to targeting cloud resources, particularly e-mail, to obtain information." Significantly, SVR's compromise of Microsoft cloud environments following their SolarWinds Orion supply chain compromise is an example of this trend. <strong style="box-sizing: border-box;">Note: </strong>See <a href="https://us-cert.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Russian_SVR_Activities_Related_to_SolarWinds_Compromise_508C.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">FactSheet: Russian SVR Activities</a> for summaries of three key Joint CSAs that detail Russian SVR activities related to the SolarWinds compromise. For more information on the SolarWinds Orion supply chain compromise, refer to the <a href="https://us-cert.cisa.gov/Remediating-APT-Compromised-Networks" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise</a> webpage.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>April 15, 2021</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint NSA-CISA-FBI CSA: Russian SVR Targets U.S. and Allied Networks</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Joint CSA is on Russian SVR activities related to the SolarWinds Orion compromise. The CSA details the vulnerabilities the SVR is leveraging—as well as the techniques it is using—in its attempts to compromise U.S. and Allied networks. <strong style="box-sizing: border-box;">Note: </strong>See <a href="https://us-cert.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Russian_SVR_Activities_Related_to_SolarWinds_Compromise_508C.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">FactSheet: Russian SVR Activities</a> for summaries of three key Joint CSAs that detail Russian SVR activities related to the SolarWinds compromise. For more information on the SolarWinds Orion supply chain compromise, refer to the <a href="https://us-cert.cisa.gov/Remediating-APT-Compromised-Networks" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise</a> webpage.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>March 18, 2021</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-077a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>CISA Alert: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"><font>This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with the SolarWinds Orion supply chain compromise. <strong style="box-sizing: border-box;">Note: </strong>For more information on the SolarWinds Orion supply chain compromise, refer to the <a href="https://us-cert.cisa.gov/Remediating-APT-Compromised-Networks" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise</a> webpage.</font></p></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>January 8, 2021</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-008a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>CISA Alert: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Alert is a companion alert to <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-352a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">CISA Alert: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations</a>. This Alert addresses the APT actor's tactics and techniques. <strong style="box-sizing: border-box;">Note: </strong>For more information on the SolarWinds Orion supply chain compromise, refer to the <a href="https://us-cert.cisa.gov/Remediating-APT-Compromised-Networks" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise</a> webpage.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>December 17, 2020</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-352a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>CISA Alert: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations</font></a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>MAR 10318845-1.v1 - SUNBURST</font></a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>MAR 10320115-1.v1 - TEARDROP</font></a></li><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>MAR 10327841-1.v1 – SUNSHUTTLE</font></a></li></ul><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5;"><font> </font></p><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5;"><font> </font></p></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Alert focuses on an APT actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations. <strong style="box-sizing: border-box;">Note: </strong>For more information on the SolarWinds Orion supply chain compromise, refer to the <a href="https://us-cert.cisa.gov/Remediating-APT-Compromised-Networks" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise</a> webpage.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>October 22, 2020</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-296a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint FBI-CISA CSA: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Joint CSA provides information on Russian state-sponsored APT actor activity targeting various U.S. state, local, tribal, and territorial government networks, as well as aviation networks. This Advisory updates <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-283a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Joint CISA-FBI CSA: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations</a>.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>October 9, 2020</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-283a" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint CISA-FBI CSA: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Joint CSA provides information on APT actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability. The commonly used tactic, known as vulnerability chaining, exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>April 16, 2018</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/TA18-106A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint DHS-FBI-NCSC Alert: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Joint Technical Alert provides information on the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the internet service providers supporting these sectors.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>March 15, 2018</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/TA18-074A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint DHS-FBI Alert: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Joint Technical Alert provides information on Russian government actions targeting U.S. government entities as well as critical infrastructure organizations. It also contains IOCs and technical details on the TTPs used by Russian government cyber actors on compromised victim networks.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>July 1, 2017</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/ncas/alerts/TA17-181A" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>CISA Alert: Petya Ransomware</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Technical Alert provides in-depth technical analysis of NotPetya malware, a Petya malware variant that surfaced on June 27, 2017. The U.S. Government has publicly attributed this NotPetya malware variant to the Russian military.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>February 10, 2017</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>CISA Analysis Report: Enhanced Analysis of GRIZZLY STEPPE Activity</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Analysis Report provides signatures and recommendations to detect and mitigate threats from GRIZZLY STEPPE actors.</font></td></tr><tr style="box-sizing: border-box;"><td class="text-align-center" style="box-sizing: border-box; padding: 0px; text-align: center;"><font>December 29, 2016</font></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em;"><li style="box-sizing: border-box;"><a href="https://us-cert.cisa.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);"><font>Joint DHS-FBI Analysis Report: GRIZZLY STEPPE - Russian Malicious Cyber Activity</font></a></li></ul></td><td style="box-sizing: border-box; padding: 0px; width: 630px;"><font>This Joint Analysis Report provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.</font></td></tr></tbody></table><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px; color: rgb(51, 51, 51); letter-spacing: normal;"><font> </font></p></h4>
Mitigation
<div>Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department.</div><div><br></div><div>An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb (informatsionnoye protivoborstvo) as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives<a href="https://en.wikipedia.org/wiki/Cyberwarfare_by_Russia">." REF </a><br></div><div><br></div><div><br></div><div>APT28 targets insider information related to governments, militaries, and security organizations that would likely benefit the Russian government. APT28 uses spearphishing emails to target its victims, a common tactic in which the threat group crafts its emails to mention specific topics (lures) relevant to recipients. This increases the likelihood that recipients will believe that the email is legitimate and will be interested in opening the message, opening any attached files, or clicking on a link in the body of the email. Since spearphishing lures are tailored to the recipients whose accounts APT28 hopes to breach, the subjects of the lures provide clues as to APT28’s targets and interests. For example, if the group’s lures repeatedly refer to the Caucasus, then this most likely indicates that APT28 is trying to gain access to the accounts of individuals whose work pertains to the Caucasus. Similarly, APT28’s practice of registering domains that mimic those of legitimate news, politics, or other websites indicates topics that are relevant to APT28’s targets.<br></div><div><br></div><div><div>APT28’s tools are suggestive of the group’s skills, ambitions, and identity. Our analysis of some of the group’s more commonly used tools indicates that APT28 has been systematically updating their tools since 2007. APT28 is most likely supported by a group of developers creating tools intended for long-term use and versatility, who make an effort to obfuscate their activity. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely a nation state government. APT28’s malware settings suggest that the developers have done the majority of their work in a Russian language build environment during Russian business hours, which suggests that the Russian government is APT28’s sponsor.</div><div><br></div><div>APT29 operations targeting the United States' (US) interests, and those of NATO and partner countries. Despite the publicization of multiple APT29 operations, they continue to be extremely prolific. In 2022, APT29 has focused on organizations responsible for influencing and crafting the foreign policy of NATO countries. This has included multiple instances where APT29 revisited victims they had compromised years, or sometimes only months beforehand. This persistence and aggressiveness are indicative of sustained interest in this information and strict tasking by the Russian Government. <span style="color: var(--q-dark);">Russian state-sponsored cyber actors accessed the software development infrastructure of U.S. company SolarWinds—possibly as early as January 2019, according to its CEO—and secretly modified the source code of its Orion network management software to enable malicious follow-on activity. Among the 18,000 government and private users that downloaded the compromised software via an automatic security update, nine federal agencies and about 100 private-sector companies publicly disclosed follow-on compromises enabled by this software supply chain attack. On 15 April 2021, the U.S. Government formally named the Russian Foreign Intelligence Service (SVR), also known in cyber security circles as APT 29, Cozy Bear, and The Dukes, as the perpetrator of the cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures. The accompanying White House release stated the U.S. Intelligence Community has high confidence in its assessment of attribution to the SVR.</span></div></div>