Baza wiedzy

The Federal Bureau of Investigation (FBI), US Cybersecurity & Infrastructure Security Agency (CISA), National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023. 

Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations. Although the SVR executed such an operation against SolarWinds and its customers in 2020, the authoring agencies are currently unaware of any attempts by the SVR to use the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments. 

Software supply chain compromise is one of the most insidious, hardest to detect and mitigate threats. Conducting such activity requires dedicating significant resources, access and R&D effort. If successful, it may allow for deploying a malicious update which, in the simplest scenario, could execute adversary tools resulting in enabling access to devices or whole networks. In more complicated scenario, access to the build pipeline could allow for compromising compiled source code and for introduction of almost indetectable modification to software – such as minuscule changes to cryptography protocols that could enable decryption of the protected data. Supply chain compromise can easily have unforeseen consequences, spill-over and result in enormous damages for the economy, civilian organizations or public safety.

SKW, working together with CERT.PL, United States of America Intelligence Community, United Kingdom Intelligence Community, in cooperation with private entities have countered and disrupted Russian attempt to gain access to software supply chain of dozens of entities globally. Joint actions have enabled identification of the campaign, victims and also tools and techniques utilized by the SVR, disabling infrastructure and neutering tools. These were neither first nor will be last actions taken by Intelligence Community of like-minded countries aimed at protecting allied countries, civilian infrastructure, private organizations and public safety against irresponsible, indiscriminate, unproportional actions of Russian Federation.

To bring Russia’s actions to public attention, the authoring agencies are providing information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable IOCs,and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious actions. The authoring agencies recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and contact appropriate national CSIRT.
SKW and CERT.PL wish to acknowledge cooperation, support and coordination with the private cybersecurity companies. Once again, public-private partnership is the cornerstone of defeating cyberthreats. SKW wishes to especially thank Microsoft for outstanding cooperation. Once notified, Microsoft disabled all known accounts abused by this actor for command and control.

Joint CSA authored by The Federal Bureau of Investigation (FBI), US Cybersecurity & Infrastructure Security Agency (CISA), National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) can be accessed here: https://www.gov.pl/attachment/f111510e-f9b6-40e7-b3f0-7cae28c8ff38.

SKW mission is to collect and analyze information relevant to the security of the Republic of Poland and Polish Armed Forces but also to conduct operations to neutralize identified threats. SKW mission also covers cyberthreats, especially those from foreign state actors. Contest between intelligence and counterintelligence services within cyberspace is constantly ongoing and happens below the threshold of conflict. Reality is that, whenever malicious presence within networks is detected, it is most often too late to effectively counter adversary operation or intelligence collection – at most, it might be possible to limit the resulting impact. Therefore, SKW, as member of Polish Intelligence Community, proactively tracks and identifies foreign actors with goal of disrupting their operations or capabilities before they may attempt to fulfill their objectives. SKW’s goal is to create constant friction and impose cost on adversary resources and ability to act.

CERT Polska is the first Polish computer emergency response team. Active since 1996 in the response teams community, it has become a recognized and experienced entity in the field of computer security. Since its launch, the core of the team’s activity has been handling security incidents and cooperation with similar units worldwide. CERT Polska also conducts extensive security-related R&D. In 1998, CERT Polska became a member of the international forum of response teams (FIRST), and since 2000 it has been a member of the working group of the European response teams: TERENA TF-CSIRT, accredited by Trusted Introducer. The CERT Polska team operates within the structures of NASK (Research and Academic Computer Network) — a research institute which conducts scientific studies, operates the national .pl domain registry and provides advanced IT services. Since 5 July 2028, CSIRT NASK fulfills tasks outlined in polish cybersecurity act — monitoring threats and incidents at the national level, responding to and coordinating the incidents reported, performing advanced analyses of malware and vulnerabilities, developing tools and methods to detect and combat cybersecurity threats and conducting awareness-raising activities in the cybersecurity area.