The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) released this Joint Cybersecurity Advisory to highlight the tactics, techniques, and procedures (TTPs) employed by the Russian Federation’s Foreign Intelligence Service (SVR) in recent cyber operations and provide network defenders with information to help counter SVR cyber threats.

Since at least 2021, Russian SVR cyber threat actors – also tracked as APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes – have consistently targeted US, European, and global entities in the Defense Industrial Base, Information Technology, and Financial Services sectors to collect foreign intelligence and enable future cyber operations, including in support of Russia’s ongoing invasion of Ukraine since February 2022. Their operations continue to pose a global threat to government and private sector organizations.

The authoring agencies are releasing this advisory to warn network defenders that SVR cyber threat actors are highly capable of and interested in exploiting software vulnerabilities for initial access and escalation of privileges. Organizations should prioritize rapid patch deployment and keep software up to date. The SVR continues using TTPs, such as spearphishing, password spraying, abuse of supply chain and trusted relationships, custom and bespoke malware, cloud exploitation, and living-off-the-land (LOTL) techniques to gain initial access, escalate privileges, move laterally, maintain persistence in victim networks and cloud environments, and exfiltrate information. SVR actors often use The Onion Router (TOR) network, leased and compromised infrastructure, and proxies to obfuscate activity.

Reporting