To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact
your local FBI field office. When available, please include the following information regarding the incident: date,
time, and location of the incident; type of activity; number of people affected; type of equipment used for the
activity; the name of the submitting company or organization; and a designated point of contact. For NSA
cybersecurity reporting inquiries, contact CybersecurityReports@nsa.gov.
This document is marked TLP:CLEAR. Disclosure is not limited. Sources may use TLP:CLEAR when information
carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public
release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. For
more information on the Traffic Light Protocol, see cisa.gov/tlp.
Update on SVR Cyber Operations and
Vulnerability Exploitation
SUMMARY
The Federal Bureau of Investigation (FBI), the
National Security Agency (NSA), Cyber National
Mission Force (CNMF), and the United
Kingdom’s National Cyber Security Centre
(NCSC-UK) are releasing this joint Cybersecurity
Advisory (CSA) to highlight the tactics,
techniques, and procedures (TTPs) employed by
the Russian Federation’s Foreign Intelligence
Service (SVR) in recent cyber operations and
provide network defenders with information to
help counter SVR cyber threats.
Since at least 2021, Russian SVR cyber actors –
also tracked as APT29, Midnight Blizzard
(formerly Nobelium), Cozy Bear, and the Dukes
– have consistently targeted US, European, and
global entities in the defense, technology, and
finance sectors to collect foreign intelligence and
enable future cyber operations, including in
support of Russia’s ongoing invasion of Ukraine since February 2022. Their operations continue to
pose a global threat to government and private sector organizations.
The authoring agencies are releasing this CSA to warn network defenders that SVR cyber actors are
highly capable of and interested in exploiting software vulnerabilities for initial access [T1190] and
escalation of privileges [T1068]. Organizations should prioritize rapid patch deployment and keep
software up to date. The SVR continues using TTPs such as spearphishing [T1566], password
spraying [T1078], abuse of supply chain [T1195] and trusted relationships [T1199], custom and
The authoring agencies recommend the
following mitigations to protect their networks.
See the Mitigations section for the complete
list.
Reduce attack surface by disabling
Internet-accessible services that you do
not need, or restrict access to trusted
networks, and removing unused
applications and utilities from
workstations and development
environments.
Require and enforce multi-factor
authentication whenever possible.
Regularly audit cloud-based accounts
and applications with administrative
access to email for unusual activity.
