SVR

SVR is Russia’s Foreign Intelligence Service and is described in the content as a Russian state intelligence service responsible for cyber espionage activity. The content links SVR cyber actors with the aliases APT29, the Dukes, Cozy Bear, NOBELIUM, and Midnight Blizzard. Reported activity includes the 2020 SolarWinds supply-chain compromise and broader follow-on intrusions into U.S. government, critical infrastructure, and private-sector organizations, which the U.S. Government attributed to the SVR in April 2021. In that campaign, the actor used a trojanized SolarWinds Orion DLL signed with SolarWinds’ legitimate certificate, SUNBURST malware with DNS-based command and control, and additional access methods beyond SolarWinds including password spraying, password guessing, abuse of externally exposed administrative credentials, and SAML token abuse. The content also states the actor abused compromised or spoofed authentication tokens, added tokens and certificates to Azure and Microsoft 365 service principals, modified federation trusts, compromised SAML signing certificates, targeted email accounts of key personnel, and used anti-forensic and stealth techniques. CISA assessed the actor as patient, well-resourced, focused, and capable of sustained long-duration operations. The content also states that SVR cyber actors exploited JetBrains TeamCity vulnerability CVE-2023-42793 at large scale beginning in September 2023, targeting unpatched, internet-reachable on-premises TeamCity servers globally. Authorities assessed this access could enable software supply-chain compromise, though they said they had not observed SolarWinds-like downstream attacks from this activity. Observed post-exploitation behavior included privilege escalation, lateral movement, persistence via scheduled tasks, credential theft, Active Directory enumeration, registry hive exfiltration, use of Mimikatz, use of Rubeus, use of WinPEAS, disabling antivirus and EDR including via BYOVD techniques and EDRSandBlast, and deployment of additional backdoors. The content specifically identifies the GraphicalProton backdoor, including variants using DLL hijacking in Zabbix, hiding activity in vcperf, and using Microsoft OneDrive and Dropbox for command and control and data exchange, with data obfuscated inside randomly generated BMP files. The advisory cited in the content says cybersecurity companies and governments have reported SVR operations targeting networks to steal confidential and proprietary information since 2013. The content further mentions that the SVR allegedly hacked the Democratic National Committee network in 2015, although it was not named in the 2018 Mueller indictment focused on GRU activity.