US, UK Agencies Warn Russian Hackers Are Adapting Based on Government Advisories – By Mariam Baksh (Nextgov) / May 7 2021
The adversary is changing its tools to avoid detection while attacking the vulnerabilities governments issue warnings about.
The Russian hacker group behind the historic SolarWinds intrusion that affected nine federal agencies keeps adjusting their tactics based on government advisories, U.S. and U.K. cybersecurity-focused agencies warn.
A joint advisory issued Friday by the U.K.’s National Cyber Security Centre, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI specifically said Russia’s Foreign Intelligence Service (SVR) changed its behavior after the release of a July 2020 advisory on the group, also known as APT29. The U.S. and U.K. attributed the SolarWinds campaign to the Russian threat actor in April. The July advisory warned they were also targeting COVID-19 vaccine development.
“SVR cyber operators appear to have reacted to this report by changing their [tactics, techniques and procedures] in an attempt to avoid further detection and remediation efforts by network defenders,” reads the new advisory. “These changes included the deployment of the open-source tool Sliver in an attempt to maintain their accesses.”
Sliver is a “red team” tool, meaning it is used by legitimate actors to test an entity’s network defenses. CISA listed it in conjunction with Cobalt Strike—a similar tool that can provide adversaries with command and control functionality—in a fact sheet the agency published Friday summarizing recent activity they associate with the Russian threat group and the SolarWinds event.
