The FBI, National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. government’s national cybersecurity center have issued a joint advisory to outline additional cyber tactics, techniques and procedures used by Russian foreign intelligence service actors to compromise networks.
Russia’s SVR actors often zero in on target administrator mailboxes to gain further network access and information and use an open-source command and control framework called Sliver, the agencies said Friday.
“The use of the Sliver framework was likely an attempt to ensure access to a number of the existing WellMess and WellMail victims was maintained following the exposure of those capabilities,” the notice reads.
The agencies recommended mitigation strategies to help safeguard networks against nation-state actors, including applying security updates, implementing good network security controls and managing user privileges and ensuring sufficient logging on-premises and in the cloud to detect compromised accounts.
The advisory also suggested the use of Microsoft’s mailbox auditing action – MailItemsAccessed – to enable administrators to investigate and identify compromised email accounts.
The document came nearly a month after CISA, FBI and NSA issued an advisory listing five network vulnerabilities used by SVR actors to infiltrate U.S. and allied government systems.