Russian Actors Change Techniques After UK and US Agencies Expose Them

“The NCSC, CISA, FBI, and NSA publish advice on detection and mitigation of SVR activity following the attribution of the SolarWinds compromise,” says the NCSC website. It found a case where the spies look for verification credentials in mails, which included passwords and PKI keys. Quite similar to MI6 with a bit of GCHQ, the SVR is a foreign intelligence agency of Russia and is as popular among the cybersecurity realm as APT29. 

Last month, UK and US agencies came together to expose the group’s techniques, allowing cybersecurity research around the world to have a glance at the lethal state-sponsored attackers that might’ve attacked their network infrastructure. After finding the NCSC report, the SVR actors have changed their TTP to avoid getting further caught and also to escape any preventive measures that network defenders might’ve placed. Besides this, the group is also pretending to be an authorized red-team pentester, to avoid getting caught. The actors also got into GitHub and installed Sliver, an open-source red-teaming platform, to keep their access active. 

The Russian actors have become more active in exploiting these vulnerabilities. NCSC, in its blogpost, warned smart City infrastructure, public operators, to be alert of suspicious state-sponsored actors that intend to steal data. “Why the sudden focus on smart streetlights and all the rest of it? The risk in smart cities is the direct control of operational technology; industrial equipment such as CCTV, streetlights, and access control systems. We understand at least one UK council is removing some smart city gear after having thought of the wisdom of installing it,” reports the Register.