{ "id": "0b221aa7-4d55-4c22-9d1f-9f30c9333c0f", "created_at": "2026-04-06T00:12:23.804186Z", "updated_at": "2026-04-10T03:37:32.78699Z", "deleted_at": null, "sha1_hash": "c4fbf4391d51d60c8a0c4750a0afa7cad8acc55d", "title": "Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65590, "plain_text": "Russian Foreign Intelligence Service (SVR) Cyber Operations:\r\nTrends and Best Practices for Network Defenders | CISA\r\nPublished: 2021-04-26 · Archived: 2026-04-05 14:26:23 UTC\r\nSummary\r\nThe Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and Cybersecurity and\r\nInfrastructure Security Agency (CISA) assess Russian Foreign Intelligence Service (SVR) cyber actors—also\r\nknown as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium—will continue to seek\r\nintelligence from U.S. and foreign entities through cyber exploitation, using a range of initial exploitation\r\ntechniques that vary in sophistication, coupled with stealthy intrusion tradecraft within compromised networks.\r\nThe SVR primarily targets government networks, think tank and policy analysis organizations, and information\r\ntechnology companies. On April 15, 2021, the White House released a statement on the recent SolarWinds\r\ncompromise, attributing the activity to the SVR. For additional detailed information on identified vulnerabilities\r\nand mitigations, see the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency\r\n(CISA), and FBI Cybersecurity Advisory titled “Russian SVR Targets U.S. and Allied Networks,” released on\r\nApril 15, 2021.\r\nThe FBI and DHS are providing information on the SVR’s cyber tools, targets, techniques, and capabilities to aid\r\norganizations in conducting their own investigations and securing their networks.\r\nClick here for a PDF version of this report.\r\nThreat Overview\r\nSVR cyber operations have posed a longstanding threat to the United States. Prior to 2018, several private cyber\r\nsecurity companies published reports about APT 29 operations to obtain access to victim networks and steal\r\ninformation, highlighting the use of customized tools to maximize stealth inside victim networks and APT 29\r\nactors’ ability to move within victim environments undetected.\r\nBeginning in 2018, the FBI observed the SVR shift from using malware on victim networks to targeting cloud\r\nresources, particularly e-mail, to obtain information. The exploitation of Microsoft Office 365 environments\r\nfollowing network access gained through use of modified SolarWinds software reflects this continuing trend.\r\nTargeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system\r\nmisconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored,\r\nor understood by victim organizations.\r\nTechnical Details\r\nSVR Cyber Operations Tactics, Techniques, and Procedures\r\nPassword Spraying\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-116a\r\nPage 1 of 5\n\nIn one 2018 compromise of a large network, SVR cyber actors used password spraying to identify a weak\r\npassword associated with an administrative account. The actors conducted the password spraying activity in a\r\n“low and slow” manner, attempting a small number of passwords at infrequent intervals, possibly to avoid\r\ndetection. The password spraying used a large number of IP addresses all located in the same country as the\r\nvictim, including those associated with residential, commercial, mobile, and The Onion Router (TOR) addresses.\r\nThe organization unintentionally exempted the compromised administrator’s account from multi-factor\r\nauthentication requirements. With access to the administrative account, the actors modified permissions of specific\r\ne-mail accounts on the network, allowing any authenticated network user to read those accounts.\r\nThe actors also used the misconfiguration for compromised non-administrative accounts. That misconfiguration\r\nenabled logins using legacy single-factor authentication on devices which did not support multi-factor\r\nauthentication. The FBI suspects this was achieved by spoofing user agent strings to appear to be older versions of\r\nmail clients, including Apple’s mail client and old versions of Microsoft Outlook. After logging in as a non-administrative user, the actors used the permission changes applied by the compromised administrative user to\r\naccess specific mailboxes of interest within the victim organization.\r\nWhile the password sprays were conducted from many different IP addresses, once the actors obtained access to\r\nan account, that compromised account was generally only accessed from a single IP address corresponding to a\r\nleased virtual private server (VPS). The FBI observed minimal overlap between the VPSs used for different\r\ncompromised accounts, and each leased server used to conduct follow-on actions was in the same country as the\r\nvictim organization.\r\nDuring the period of their access, the actors consistently logged into the administrative account to modify account\r\npermissions, including removing their access to accounts presumed to no longer be of interest, or adding\r\npermissions to additional accounts. \r\nRecommendations\r\nTo defend from this technique, the FBI and DHS recommend network operators to follow best practices for\r\nconfiguring access to cloud computing environments, including:\r\nMandatory use of an approved multi-factor authentication solution for all users from both on premises and\r\nremote locations.\r\nProhibit remote access to administrative functions and resources from IP addresses and systems not owned\r\nby the organization.\r\nRegular audits of mailbox settings, account permissions, and mail forwarding rules for evidence of\r\nunauthorized changes.\r\nWhere possible, enforce the use of strong passwords and prevent the use of easily guessed or commonly\r\nused passwords through technical means, especially for administrative accounts.\r\nRegularly review the organization’s password management program.\r\nEnsure the organization’s information technology (IT) support team has well-documented standard\r\noperating procedures for password resets of user account lockouts.\r\nMaintain a regular cadence of security awareness training for all company employees.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-116a\r\nPage 2 of 5\n\nLeveraging Zero-Day Vulnerability\r\nIn a separate incident, SVR actors used CVE-2019-19781, a zero-day exploit at the time, against a virtual private\r\nnetwork (VPN) appliance to obtain network access. Following exploitation of the device in a way that exposed\r\nuser credentials, the actors identified and authenticated to systems on the network using the exposed credentials.\r\nThe actors worked to establish a foothold on several different systems that were not configured to require multi-factor authentication and attempted to access web-based resources in specific areas of the network in line with\r\ninformation of interest to a foreign intelligence service.\r\nFollowing initial discovery, the victim attempted to evict the actors. However, the victim had not identified the\r\ninitial point of access, and the actors used the same VPN appliance vulnerability to regain access. Eventually, the\r\ninitial access point was identified, removed from the network, and the actors were evicted. As in the previous case,\r\nthe actors used dedicated VPSs located in the same country as the victim, probably to make it appear that the\r\nnetwork traffic was not anomalous with normal activity.\r\nRecommendations\r\nTo defend from this technique, the FBI and DHS recommend network defenders ensure endpoint monitoring\r\nsolutions are configured to identify evidence of lateral movement within the network and:\r\nMonitor the network for evidence of encoded PowerShell commands and execution of network scanning\r\ntools, such as NMAP.\r\nEnsure host based anti-virus/endpoint monitoring solutions are enabled and set to alert if monitoring or\r\nreporting is disabled, or if communication is lost with a host agent for more than a reasonable amount of\r\ntime.\r\nRequire use of multi-factor authentication to access internal systems.\r\nImmediately configure newly-added systems to the network, including those used for testing or\r\ndevelopment work, to follow the organization’s security baseline and incorporate into enterprise\r\nmonitoring tools.\r\nWELLMESS Malware\r\nIn 2020, the governments of the United Kingdom, Canada, and the United States attributed intrusions perpetrated\r\nusing malware known as WELLMESS to APT 29. WELLMESS was written in the Go programming language,\r\nand the previously-identified activity appeared to focus on targeting COVID-19 vaccine development. The FBI’s\r\ninvestigation revealed that following initial compromise of a network—normally through an unpatched, publicly-known vulnerability—the actors deployed WELLMESS. Once on the network, the actors targeted each\r\norganization’s vaccine research repository and Active Directory servers. These intrusions, which mostly relied on\r\ntargeting on-premises network resources, were a departure from historic tradecraft, and likely indicate new ways\r\nthe actors are evolving in the virtual environment. More information about the specifics of the malware used in\r\nthis intrusion have been previously released and are referenced in the ‘Resources’ section of this document.\r\nTradecraft Similarities of SolarWinds-enabled Intrusions\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-116a\r\nPage 3 of 5\n\nDuring the spring and summer of 2020, using modified SolarWinds network monitoring software as an initial\r\nintrusion vector, SVR cyber operators began to expand their access to numerous networks. The SVR’s\r\nmodification and use of trusted SolarWinds products as an intrusion vector is also a notable departure from the\r\nSVR’s historic tradecraft.\r\nThe FBI’s initial findings indicate similar post-infection tradecraft with other SVR-sponsored intrusions, including\r\nhow the actors purchased and managed infrastructure used in the intrusions. After obtaining access to victim\r\nnetworks, SVR cyber actors moved through the networks to obtain access to e-mail accounts. Targeted accounts at\r\nmultiple victim organizations included accounts associated with IT staff. The FBI suspects the actors monitored IT\r\nstaff to collect useful information about the victim networks, determine if victims had detected the intrusions, and\r\nevade eviction actions.\r\nRecommendations\r\nAlthough defending a network from a compromise of trusted software is difficult, some organizations successfully\r\ndetected and prevented follow-on exploitation activity from the initial malicious SolarWinds software. This was\r\nachieved using a variety of monitoring techniques including:\r\nAuditing log files to identify attempts to access privileged certificates and creation of fake identify\r\nproviders.\r\nDeploying software to identify suspicious behavior on systems, including the execution of encoded\r\nPowerShell.\r\nDeploying endpoint protection systems with the ability to monitor for behavioral indicators of compromise.\r\nUsing available public resources to identify credential abuse within cloud environments.\r\nConfiguring authentication mechanisms to confirm certain user activities on systems, including registering\r\nnew devices.\r\nWhile few victim organizations were able to identify the initial access vector as SolarWinds software, some were\r\nable to correlate different alerts to identify unauthorized activity. The FBI and DHS believe those indicators,\r\ncoupled with stronger network segmentation (particularly “zero trust” architectures or limited trust between\r\nidentity providers) and log correlation, can enable network defenders to identify suspicious activity requiring\r\nadditional investigation.\r\nGeneral Tradecraft Observations\r\nSVR cyber operators are capable adversaries. In addition to the techniques described above, FBI investigations\r\nhave revealed infrastructure used in the intrusions is frequently obtained using false identities and\r\ncryptocurrencies. VPS infrastructure is often procured from a network of VPS resellers. These false identities are\r\nusually supported by low reputation infrastructure including temporary e-mail accounts and temporary voice over\r\ninternet protocol (VoIP) telephone numbers. While not exclusively used by SVR cyber actors, a number of SVR\r\ncyber personas use e-mail services hosted on cock[.]li or related domains.\r\nThe FBI also notes SVR cyber operators have used open source or commercially available tools continuously,\r\nincluding Mimikatz—an open source credential-dumping too—and Cobalt Strike—a commercially available\r\nexploitation tool.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-116a\r\nPage 4 of 5\n\nMitigations\r\nThe FBI and DHS recommend service providers strengthen their user validation and verification systems to\r\nprohibit misuse of their services.\r\nResources\r\nNSA, CISA, FBI Joint Cybersecurity Advisory: Russian SVR Targets U.S. and Allied Networks\r\nCISA: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise\r\nCISA Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments\r\nFBI, CISA, ODNI, NSA Joint Statement: Joint Statement by the Federal Bureau of Investigation, the\r\nCybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence\r\n(ODNI), and the National Security Agency\r\nCISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical\r\nInfrastructure, and Private Sector Organizations\r\nCISA Insights: What Every Leader Needs to Know about the Ongoing APT Cyber Activity\r\nFBI, CISA Joint Cybersecurity Advisory: Advanced Persistent Threat Actors Targeting U.S. Think Tanks\r\nCISA: Malicious Activity Targeting COVID-19 Research, Vaccine Development\r\nNCSC, CSE, NSA, CISA Advisory: APT 29 targets COVID-19 vaccine development\r\nRevisions\r\nApril 26, 2021: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-116a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-116a\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa21-116a" ], "report_names": [ "aa21-116a" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434343, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c4fbf4391d51d60c8a0c4750a0afa7cad8acc55d.pdf", "text": "https://archive.orkl.eu/c4fbf4391d51d60c8a0c4750a0afa7cad8acc55d.txt", "img": "https://archive.orkl.eu/c4fbf4391d51d60c8a0c4750a0afa7cad8acc55d.jpg" } }