The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre(NCSC-UK) have released a joint cybersecurity advisory that details the TTPs employed by the Russian Federation’s Foreign Intelligence Service (SVR) in recent cyber operations.
‍
The group, also known by aliases such as APT29, Midnight Blizzard, Cozy Bear, and The Dukes, has been actively targeting organizations across various sectors since at least 2021. These cyber actors have primarily focused on defense, technology, finance, and other strategic industries in the US, Europe, and globally. Their ultimate goal is to gather sensitive foreign intelligence and support broader cyber operations, including those related to Russia’s military actions, like the ongoing invasion of Ukraine.
‍
In 2023, SVR shifted tactics by leveraging Microsoft Teams to conduct sophisticated spear phishing attacks. By impersonating legitimate technical support personnel, they sent messages to targeted individuals through Teams chat. These messages were designed to trick victims into granting account access, thus giving the attackers a foothold within their organizations. This campaign was facilitated by the compromise of poorly secured Microsoft customer accounts, often from small businesses. Once the actor gained access to these accounts, they used these environments to launch further attacks, including against government agencies, technology firms, and non-governmental organizations.