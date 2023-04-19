Cyber defence, intelligence and operations organisations in the US and UK have publicly called out Russian military hackers as the source of series of system raids that exploited a series of vulnerabilities on poorly configured Cisco routers in 2021, upping the ante on nation-state attack attribution as the war in Ukraine grinds on.

In a joint advisory issued by the US National Security Agency (NSA), UK National Cyber Security Centre (NCSC), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI), the Western cyber defenders have named APT-28, better known as ‘Fancy Bear’, as the attackers for a slew of intrusions and malware insertions that hot both Ukrainian and Western assets.

The public attribution is essentially about telling system and network operators and owners — especially in governments — that Fancy Bear is known to be active and looking for tasty treats.

“We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor,” the joint advisory said.

The UK’s NCSC, part of British signals intelligence agency GCHQ, previously pinned the large-scale cyber attacks against the German parliament in 2015 on Fancy Bear followed by an attempted hit on the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018 that authorities say was intended to “disrupt independent analysis of chemicals weaponized by the GRU in the UK”.

That independent analysis was to confirm the use of the Novichok nerve agent in Salisbury in an effort to kill Sergei Skripal, a double agent previously in Russian military intelligence that Britain had recruited in the 1990s and who moved to the UK after a spy swap. Britain says it is now certain the Salisbury attack was carried out by serving GRU officers.

The public attribution of Fancy Bear hacking unit by the US and UK comes just days after a multilateral announcement that cyber authorities want to see enterprise software being built with security baked-in from the start, rather than retrofitted after holes are discovered and exploited.

As a fresh Russian offensive is anticipated in Ukraine after Russian conscription powers were toughened, a scenario that logically translates to more cyber hits ahead of attacks.

The Fancy Bear warning also draws a link with Ukraine.

“In 2021, APT28 used infrastructure to masquerade Simple Network Management Protocol (SNMP) access into Cisco routers worldwide. This included a small number based in Europe, US government institutions and approximately 250 Ukrainian victims,” the joint advisory says.

“SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.”

“A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks,” it continues.

Russia in the springtime. What’s not to love?