Following attribution of the SolarWinds supply chain attack to Russia's APT29, the US CISA infosec agency has published a list of the spies' known tactics – including a penchant for using a naughtily named email provider.
APT29* is the Western infosec world's codename for what we now know is the Russian Foreign Intelligence Service, known by its Russian acronym SVR.
As well as publishing a list of things US counterintelligence know about their Russian offensive counterparts, CISA has also added some advice on how to avoid these common Russian intelligence compromise tactics.
SVR's break-in pros use techniques including "low and slow" password spraying targeted at known admin accounts, zero-days deployed against VPN appliances, and then deploying droppers such as WellMess.
The FBI's initial findings indicate similar post-infection tradecraft with other SVR-sponsored intrusions, including how the actors purchased and managed infrastructure used in the intrusions. After obtaining access to victim networks, SVR cyber actors moved through the networks to obtain access to e-mail accounts. Targeted accounts at multiple victim organizations included accounts associated with IT staff. The FBI suspects the actors monitored IT staff to collect useful information about the victim networks, determine if victims had detected the intrusions, and evade eviction actions.
Detecting the SVR consisted of fairly routine stuff, according to CISA: auditing log files "to identify attempts to access privileged certificates", monitoring networks for encoded PowerShell commands, behavioural profiling of accounts to detect unusual activity indicating a compromise, and using threat intel to keep an eye on "credential abuse within cloud environments."
One giveaway that you might have a Russian spy poking about, warned CISA, is the use of a cock[.]li email address. Though we're fairly sure it wasn't a Russian spy who called us abusive names from a cock[.]li email address in 2016, CISA reckons: "While not exclusively used by SVR cyber actors, a number of SVR cyber personas use e-mail services hosted on cock[.]li or related domains."
We have asked cock[.]li's maintainer, Vincent Canfield, by email for his thoughts on being named by the US government as a harbourer of hostile foreign spies, and will reproduce any printable ones if he replies. ®
*Because this is the Western infosec world there are about 50 different names for APT29 depending on which company is talking about them, what day of the week it is, and whether it's sunny or cloudy. Variations include The Dukes, Cozy Bear, the unpronounceable Yttrium, etc. etc.
We are told this is a marketing strategy, just as startups nobody's heard of like to call themselves things like "the leading business in the editable-character-on-white-background-digital-processing vertical".