• Vulnerable U
  • Posts
  • U.S.: Russian SVR Cyber Activity Poses a 'Global Threat'

U.S.: Russian SVR Cyber Activity Poses a 'Global Threat'

Author

Newsroom
October 14, 2024

The FBI, NSA, and other agencies are warning defenders about recent operations by Russian SVR offensive teams and specifically highlighting the group’s exploitation of numerous vulnerabilities, including some tricky Bluetooth bugs that can be exploited over the air. 

The advisory is a rare glimpse into the operational capabilities of the SVR’s offensive group, which is also known in the security community as APT 29 and Cozy Bear and is one of the more aggressive and capable threat actors on the landscape. Security research teams regularly publish information on the SVR’s tools and techniques and its activities are well documented, but it’s unusual for the FBI, NSA, Cyber National MIssion Force, and the UK’s National Cyber Security Center to publish specific details of TTPs, targeting, and vulnerabilities that a group is exploiting. 

Why It Matters: This threat group is highly capable and well-resourced and is known to target government agencies, critical infrastructure, private companies and whatever other targets of opportunity present themselves. Advisories such as this are meant to drive the point home to defenders about the seriousness of the activity and the urgency of addressing the vulnerabilities and weaknesses the group is exploiting. 

Key Details:

  • The SVR conducts mass scanning of the Internet to identify systems that are vulnerable to specific bugs, looking for targets of opportunity. 

  • The group prioritizes anonymity and will often burn down its infrastructure once they believe an operation has been discovered. “To remain undetected, the SVR frequently uses tools and programs already on victim networks to avoid anti-virus software. During intrusions into cloud environments, the SVR exploits misconfigurations and weak access controls to access information without the need for additional software,” the advisory says.

  • The group regularly exploits vulnerabilities in network, server, desktop, and cloud platforms and has the capability to do original vulnerability research and exploit development. For example, the SVR has exploited two separate Bluetooth flaws (CVE-2023-24023 and CVE-2023-45866) that can be exploited over the air.

CVEs Exploited: A few of the other flaws that the SVR is known to have exploited in recent operations include: CVE-2023-20198 in Cisco IOS XE, CVE-2023-40088 in Android, CVE-2022-40507 in Qualcomm Core, CVE-2023-36745 in Microsoft Exchange Server, and CVE-2023-4966 in Google Chrome.

“Since at least 2021, Russian SVR cyber actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes – have consistently targeted US, European, and global entities in the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. Their operations continue to pose a global threat to government and private sector organizations,” the advisory says. 

Further Reading

  • The joint cybersecurity advisory

  • Microsoft threat intelligence analysis of SVR activity