Category: National Security Agency NSA

Source: National Security Agency NSA

FORT MEADE, MD. – The National Security Agency (NSA) joins the UK National Cyber Security Centre (NCSC-UK) and other partners in releasing the Cybersecurity Advisory (CSA), “SVR Cyber Actors Adapt Tactics for Initial Cloud Access.” The CSA outlines how Russia-based cyber actors are adapting their tactics, techniques, and procedures (TTPs) to infiltrate and access intelligence hosted in cloud environments as a growing number of targets store data in the cloud.
 
The cyber actors – commonly known as APT29, Midnight Blizzard, the Dukes, or Cozy Bear, and almost certainly associated with the Russian foreign intelligence service (SVR) – primarily gain access to cloud-based systems by logging into automated system accounts and inactive accounts via TTPs such as password spraying and brute forcing. These types of accounts often do not use multifactor authentication and have weak passwords, making them susceptible to the SVR actors’ techniques. According to the CSA, once inside a target’s cloud environment, the actors have successfully used system issued tokens or registered their own devices to maintain a presence in the system. The CSA also highlights a new TTP associated with these actors as the use of residential proxies to obscure their access and make suspicious activity harder to identify.
 
This CSA also provides indicators of compromise and recommends enforcing good cybersecurity fundamentals, including system account management, short token validity time periods, conditional access policies, device enrollment, strong password enforcement, multifactor authentication, and system updates.
 
“We often say, ‘cybersecurity is national security,’ and the Cybersecurity Advisory we are publishing today shows why,” said Rob Joyce, NSA’s director of Cybersecurity. “We, along with our valued partners in the U.K., have seen the potential for Russian state actors to infiltrate cloud environments and we’re responding accordingly. As the world modernizes their systems, we need to do all we can to reduce the attack surface for cyber actors to penetrate.”
 
The NCSC-UK has previously detailed how the SVR actors target the governmental, think tank, healthcare, and energy sectors. The CSA describes that SVR actors’ targeting has expanded to include aviation, education, law enforcement, local and state governments, government financial departments, and military organizations.
 
The cyber actors are also known for involvement in the supply chain compromise of SolarWinds software, targeting of COVID-19 vaccine development in 2016, and the breach of Democratic National Committee communications in 2015.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.

---

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

Source: National Security Agency NSA

FORT MEADE, Md. – The National Security Agency (NSA) announces the retirement of Rob Joyce, the Director of Cybersecurity and the Deputy National Manager, National Security Systems; effective March 31, 2024.

Rob will retire after 34 years of service to the NSA. Since taking the role as the director of the Cybersecurity Directorate (CSD) in 2021, he has been vital in leading the charge of CSD’s mission to prevent and eradicate threats to U.S. National Security Systems and critical infrastructure, and overseeing the expansion of strong partnerships across the U.S. Government, Defense Industrial Base, industry, allies, and academia.

“Rob’s leadership of the agency’s critical Cybersecurity mission has been exemplary,” NSA Director General Timothy D. Haugh said. “His vision and development of the CSD team and its capacities ensures that NSA’s cybersecurity mission is healthy and will continue to be successful in protecting our allies and national systems well into the future.”

Joyce assumed the position after serving as NSA’s top cryptologic representative in the United Kingdom; the Special U.S. Liaison Officer in London. Joyce has also held positions in the National Security Council, serving as Special Assistant to the President and Cybersecurity Coordinator at the White House from March 2017 to May 2018, including time as acting Deputy Homeland Security Advisor and Acting Homeland Security Advisor. Joyce also led Tailored Access Operations at NSA (TAO), the organization that executes the foreign intelligence mission through hacking activities.
 
“I am honored to have served for over 34 years at the National Security Agency,” Joyce said. “It has been a privilege to lead the nation’s most talented and dedicated team of cybersecurity professionals. Making a difference in the security of the nation is truly an honor.”
 
Joyce will be succeeded by David Luber, the Deputy Director of the Cybersecurity Directorate. Prior to this role, Luber served as the Executive Director (EXDIR) for U.S. Cyber Command (USCYBERCOM). The EXDIR position represents the highest-ranking-civilian and third-in-command at USCYBERCOM. Luber has served for over 30 years across this global enterprise and shares a diversified portfolio making him uniquely qualified to fill this critical role for the nation.
 

Source: National Security Agency NSA

FORT MEADE, Md. – The National Security Agency (NSA) is proud to partner with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United Kingdom National Cyber Security Center (NSC-UK) on CISA’s Cybersecurity Technical Report (CTR) “Identifying and Mitigating Living Off the Land,” which provides guidance on defending against common living off the land (LOTL) techniques. This release follows a May 2023 joint Cybersecurity Advisory on LOTL techniques.
 
Rather than introducing malicious code to a system, LOTL threats use existing tools on the system to circumvent security capabilities, which makes these cyberattacks more difficult to detect and mitigate. These techniques can occur in multiple types of IT environments including on site, in the cloud, or hybrid environments. People’s Republic of China and Russian Federation state-sponsored actors often use these techniques to evade detection.
 
“Living off the land attacks have galvanized the cybersecurity community,” said Rob Joyce, NSA’s Director of Cybersecurity and Deputy National Manager for National Security Systems (NSS). “More than half a dozen international and domestic partner organizations signed on to our previous living off the land Cybersecurity Advisory. Industry also allowed us to reference their important contributions. 
 
“Together with our partners and allies, we’re shining a light on attacks that occur in dark corners, and illustrating how the PRC behaves irresponsibly by holding civilian critical infrastructure at risk. CSAs like this arm all of us to improve defense and bring together a coalition that can do more as a group than any one of us can do alone,” said Joyce.
 
The CSA outlines how and why LOTL attacks are effective and includes best practice recommendations that are part of a multi-faceted and comprehensive approach to mitigating LOTL cyber threats. Best practices for prioritizing detection and hardening targets include implementing logging that allows for better detection of malicious LOTL activities, implementing authentication controls, maintaining user and admin privilege restrictions, auditing remote access software, establishing baseline behaviors, and refining monitoring tools and alerting mechanisms. The advisory also contains recommendations for software and technology manufacturers, technical details on threat actor activity, and information on network defense weaknesses.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.

---

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

Source: National Security Agency NSA

FORT MEADE, Md. – The National Security Agency (NSA) has joined partners to issue a Cybersecurity Advisory (CSA) to address People’s Republic of China (PRC) targeting of U.S. critical infrastructure. The CSA, entitled “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” is led by the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with NSA, the Federal Bureau of Investigation (FBI), and additional government agencies.
 
The CSA focuses on PRC-sponsored cyber actor, Volt Typhoon, targeting IT networks of communications, energy, transportation, water, and wastewater organizations in the U.S. and its territories. The authoring agencies recognize the reality that the PRC has already compromised these systems. In some cases, the cyber actors have been living inside IT networks for years to pre-position for disruptive or destructive cyberattacks against operational technology (OT) in the event of a major crisis or conflict with the United States. 
 
“This is something we have been addressing for a long time,” said Rob Joyce, NSA’s Director of Cybersecurity and Deputy National Manager for National Security Systems (NSS). “Our insights on PRC pre-positioning have driven action across the cyber community. We have gotten better at all aspects of this, from understanding Volt Typhoon’s scope, to identifying the compromises likely to impact critical infrastructure systems, to hardening targets against these intrusions, to working together with partner agencies to combat PRC cyber actors.”
 
The CSA notes Volt Typhoon’s choice of targets and pattern of behavior are not consistent with traditional cyber espionage or intelligence gathering. Their ability to access operational technology (OT)could allow the group to disrupt OT functions across multiple critical infrastructure entities.
 
This report is paired with a technical guide, also released today, entitled “Identifying and Mitigating Living Off the Land (LOTL).” LOTL is a technique often used by Volt Typhoon to access and embed undetected in existing systems.
 
Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.

---

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

Source: National Security Agency NSA

FORT MEADE, Md. – General Timothy D. Haugh, U.S. Air Force, assumed command of U.S. Cyber Command (USCYBERCOM) and the National Security Agency (NSA)/Central Security Service (CSS) on February 2, 2024, during a change of command, directorship, and responsibility ceremony at USCYBERCOM/NSA/CSS Headquarters. The ceremony marked the transition of leadership from General Paul M. Nakasone, U.S. Army, to General Haugh.
 
“I am honored to begin my role as Commander of U.S. Cyber Command, Director of the National Security Agency, and Chief of the Central Security Service,” General Haugh said. “Having served in both USCYBERCOM and NSA, I have seen our workforce do incredible things on behalf of the nation, creating a unique advantage that has kept us ahead of our adversaries.  I have full confidence in our ability to achieve our goals, because I know that the people of the USCYBERCOM and NSA/CSS are standing ready to tackle any challenge that comes their way.”
 
The change of command ceremony is a time-honored tradition symbolizing the transfer of authority and responsibility for military units, often marked by the exchange of flags. Deputy Secretary of Defense Kathleen H. Hicks and Director of National Intelligence Avril D. Haines presided over the ceremony, which was attended by senior military and civilian leaders, as well as distinguished guests and family members.
 
General Haugh’s career is a testament to the unique talents that are necessary for a leader in the cyber and intelligence domains. Ever-evolving, transnational threats require a swift strategist who excels across the full spectrum of cybersecurity operations and who has the diplomatic skills to navigate the domestic and foreign partnerships necessary to defend the nation. A leader of USCYBERCOM, the NSA, and the CSS also needs sharp technical wisdom to anticipate the next cyberattack.
 
General Haugh has a deep background in cyber operations and intelligence, having served in leadership positions at Sixteenth Air Force, Air Forces Cyber, the Joint Force Headquarters-Cyber, and in the Intelligence Community, where he worked closely with the NSA while on multiple tours.
 
Upon his confirmation, Director Haines issued a statement lauding General Haugh’s experience and service.
 
“He also has a tremendous reputation as a man of integrity and a manager who cares about his workforce,” Director Haines said. “I am grateful to him for taking on this critically important leadership role in our Intelligence Community and very much look forward to working with him in his new position.”
 
While the ceremony welcomed General Haugh to a new leadership role, it also marked a significant transition for General Nakasone’s career as his exemplary service comes to end, and his retirement marks the beginning of the next chapter of his life.
 
General Nakasone has served as Commander, USCYBERCOM and Director, National Security Agency/Chief, Central Security Service (NSA/CSS) since May 2018. Leading a historic transformation, Nakasone’s legacy stretches far beyond simply commanding USCYBERCOM.
 
In 2018, General Nakasone steered the organization through a critical inflection point, taking the helm as it ascended to the prestigious status of a unified combatant command. This historic elevation signified a new era for both USCYBERCOM and military cyber operations, granting the organization heightened autonomy and resources to confront the ever-evolving threats in cyberspace. General Nakasone’s leadership proved instrumental in this groundbreaking transformation, laying the foundation for USCYBERCOM’s current prominence on the global cybersecurity stage.
 
The close teamwork between USCYBERCOM and NSA/CSS, which began with the Russia Small Group, matured under General Nakasone on nearly every endeavor, and allowed the two organizations to effectively navigate an evolving threat landscape. He leaned on both workforces’ expertise to meet the rise of China as the nation’s greatest strategic competitor, rapidly respond to Russia’s invasion of Ukraine, and provide essential intelligence for events in the Middle East. Prioritizing external partnership and innovation, he greatly expanded the cybersecurity mission, established the unclassified Cybersecurity Collaboration Center, and announced the formation of the Artificial Intelligence Security Center.
 
“I am most proud that USCYBERCOM, and particularly NSA/CSS, have maintained the trust and confidence of the American people,” General Nakasone said. “I believe our collective actions across our SIGINT, cybersecurity and cyberspace operational missions have demonstrated to our people that we are worthy of this trust.”
 
A highly decorated officer with extensive experience in intelligence and cyber operations, he served in command and staff positions across all levels of the Army throughout his distinguished career. General Nakasone reflected on his service as he retired from the military.
 
“Stepping down after 37 years of service fills me with immense pride and deep satisfaction,” General Nakasone said. “Leading the incredible men and women of USCYBERCOM, NSA, and CSS has been the honor of my lifetime. Together, we have navigated a dynamic cyberspace landscape, evolving our operations and safeguarding our nation against ever-escalating threats. While I bid farewell to active duty, I look forward to spending time with my family and reflecting on the legacy we have built together.”

Source: National Security Agency NSA

The National Security Agency’s (NSA) Center for Cryptologic History is pleased to announce the 2023 induction of five major cryptologic figures into the Cryptologic Hall of Honor.
 
This year’s inductees are:

• Evelyn Akeley – Akeley’s impressive record of improvisation in a fast-paced, high-stress environment reflects the finest traditions of the past century of American signals intelligence. Her accomplishments during World War II were exceeded only by those of her students, who broke virtually every Japanese army code they encountered. When she retired in 1958, she was the sixth most senior woman at NSA, outranked only by a group that included future Hall of Honor members Polly Budenbach, Ann Caracristi, Juanita Moody, and Julia Ward.

• James Lovell – William Friedman called Lovell “the [American] Revolution’s one-man National Security Agency.” His pioneering work as a codebreaker and codemaker gave cryptology a singular role in the emergence of our new Nation. Leveraging Lovell’s decrypts, George Washington knew of the approach of a British relief force and was able to warn his French allies, thus enabling a decisive victory at Yorktown. Lovell is a landmark figure in the history of American cryptology and a model for present and future generations.

• Joseph Mauborgne, Major General, USA – MG Mauborgne was a pioneer in numerous areas of communications technology and cryptology, including radiotelegraphy, cryptologic training, cryptanalysis, and cryptography. He is credited as the co-inventor of the One-Time Pad. His leadership and foresight facilitated victory in World War II for the United States and paved the way for future successes. He initiated the first sharing of intelligence between the United States and the United Kingdom, thus beginning the “Special Relationship.” William Friedman cited Mauborgne as the best director the Signal Corps had ever had.

• James Radford – Jim Radford developed Special Purpose Devices that solved intractable analytic problems, often by enhancing the performance of supercomputers by a factor of hundreds. His early projects convinced NSA it was possible to work with contractors securely on sensitive projects, and helped convince contractors it was good business to work with NSA. His innovative thinking at NSA and the Institute of Defense Analyses helped meet the challenges of the communications and computing revolutions of the late 20th and early 21st centuries.

• Harry Rashbaum – As a practicing linguist, Rashbaum pioneered the use of computers in developing online working aids to support translation and transcription, as well as using technology to teach language. As a senior linguist in operations, he raised the standards for language analysts, and taught senior leadership how to make best use of their talents. He convinced NSA to improve language promotions and incentive awards, an important factor in recruitment and retention. His publications, and the people he inspired, continue to positively affect NSA language work today.

More information about the 2023 honorees will be released following an upcoming induction ceremony. The next call for nominations will be issued in early 2024, but any individual or group can make a nomination at any time.
 
Individuals or groups nominated for the Cryptologic Hall of Honor must have made a significant contribution through cryptology to America’s national security. This may have been through a single event or a lifetime of superior achievements in cryptology. Individuals who worked for the government must have departed government cryptologic service at least 10 years prior to the nomination. Non-U.S. individuals or groups are also eligible for consideration, and their achievements, too, must have occurred at least 10 years prior to the nomination.
 
Visit the National Cryptologic Museum to learn more about all of the Hall of Honor inductees.
 

Source: National Security Agency NSA

FORT MEADE, Md. — The U.S. Senate voted to confirm President Joseph R. Biden, Jr.’s nomination of U.S. Air Force Lt. Gen. Timothy D. Haugh to the rank of General and to assume the duties as the Commander, U.S. Cyber Command (CYBERCOM), Director, National Security Agency (NSA)/Chief, Central Security Service (CSS).  

Lt. Gen. Haugh is scheduled to assume his new role following a change-of-command ceremony planned for early 2024.

“It is the honor of a lifetime to have the opportunity to lead the incredible workforce of the Command and the Agency as they support the joint force during this decisive decade,” Lt. Gen. Haugh said. “My priorities— people, innovation, and partnerships — will serve as the foundational values to ensure we continue to execute our mission to deliver outcomes against national priorities in foreign intelligence and cybersecurity.”
 
Lt. Gen. Haugh began his Air Force career in 1991, by earning his commission and as a distinguished graduate of the Reserve Officers’ Training Corps at Lehigh University, Bethlehem, Pa. He currently serves as CYBERCOM’s deputy commander, where he directs, synchronizes, and coordinates cyberspace planning and operations to defend and advance national interests in collaboration with domestic and international partners.

In his nearly 32 years of service, Lt. Gen. Haugh brings a wealth of joint service knowledge and experience to the Command and the Agency from assignments including commander, Sixteenth Air Force, Air Forces Cyber and Joint Force Headquarters-Cyber, as commander, Cyber National Mission Force, as CYBERCOM’s director of Intelligence, J2, and as the deputy commander of Joint Task Force-Ares.

Lt. Gen. Haugh expressed gratitude toward U.S. Army Gen. Paul M. Nakasone, Commander, CYBERCOM, Director, NSA/Chief, CSS, for his commitment to the dual-hat mission and workforce under his charge during times of unparalleled global challenges.

“I believe the nation is defended and the future is secured due to his leadership over the past six years,” Lt. Gen. Haugh said. “His loyalty to the nation, duty to the mission, selfless service, integrity and personal courage are admirable.”

Gen. Nakasone expressed that he is fortunate to pass command to a leader who upholds the highest standards of the service and demonstrates immense dedication to the mission.

“Having worked alongside Lt. Gen. Haugh over the past decade, I can personally attest to his steadfast leadership, integrity first mentality, and unwavering sense of duty,” Gen. Nakasone said.

Gen. Nakasone will retire after 37 years of dedicated service to the nation. As Director, NSA/Chief, CSS, Gen. Nakasone leads the nation’s signals intelligence (SIGINT) enterprise ensuring delivery of timely, accurate intelligence insights to warfighters, policymakers, and allies on topics of critical national security importance. As the National Manager for National Security Systems, Gen. Nakasone supports the protection of these systems, the Defense Industrial Base, and U.S. critical infrastructure from cyber threats as well the development of game-changing technologies to provide intelligence advantage.

During his tenure with the Command and the Agency, Gen. Nakasone supported the establishment of CYBERCOM, fostered strategic concepts for cyber operations, and oversaw tighter integration between CYBERCOM and NSA. Additionally, under his leadership the Command and the Agency built closer ties with federal and industry partners. For example, Gen. Nakasone established several NSA organizations, including the Cybersecurity Directorate, the China Strategy Center, and the Cybersecurity Collaboration Center, which now has 750 partners across industry and the Defense Industrial Base. Moreover, Gen. Nakasone spearheaded the development of several successful joint CYBERCOM and NSA teams such as the Russia Small Group, China Outcomes Group and the Election Security Group.

Gen. Nakasone has held command and staff positions across all levels of the U.S. Army and the joint force with assignments in the United States, the Republic of Korea, Iraq, and Afghanistan.

“Serving the nation alongside the CYBERCOM and NSA/CSS workforce has been the highlight of my career,” Gen. Nakasone said. “I am proud to have worked every day with the very best leaders and talented workforce.”
 
About the National Security Agency:
Founded in 1952, NSA is a U.S. Department of Defense combat support agency and element of the U.S. Intelligence Community. The Agency’s mission is to provide foreign signals intelligence to policymakers and our military, and to prevent and eradicate cybersecurity threats to U.S. national security systems, with a focus on the Defense Industrial Base and the improvement of U.S. weapons’ security. From protecting U.S. warfighters around the world to enabling and supporting operations on land, in the air, at sea, in space, and in the cyber domain, NSA is committed to building public trust through transparency and protecting civil liberties and privacy consistent with our nation’s values.

---

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

Source: National Security Agency NSA

FORT MEADE, Md.–The National Security Agency (NSA) published its 2023 Cybersecurity Year in Review today to share its recent cybersecurity successes and how it is working with partners to deliver on cybersecurity advances that enhance national security. This year’s report highlights NSA’s work with U.S government partners, foreign partners, and the Defense Industrial Base.

“The combined talent of our partners is the greatest competitive advantage we have to confront the increasingly sophisticated threats we see today”- Rob Joyce, Director of Cybersecurity

The Cybersecurity Year in Review highlights NSA’s recent cybersecurity efforts, including:

• Establishing the Artificial Intelligence (AI) Security Center.

• Detecting stealthy People’s Republic of China (PRC) intrusions into U.S. critical infrastructure and joined forces with partners (CISA, FBI, NIST, etc.) to expose those intrusions.

• Collaborating with industry, government stakeholders, and academia to modernize cryptography to scale cybersecurity solutions and address the quantum threat.

“Cybersecurity matters. It matters to our partners and it matters to us. It ensures that our information, our intelligence, our knowledge can be shared securely.”- General Paul M. Nakasone, U.S Army; Commander, U.S Cyber Command; Director, National Security Agency; Chief, Central Security Service

This report includes information about NSA’s cybersecurity partnerships and the efforts in building them. This year NSA:

1. Inaugurated the new AI Security Center within the Cybersecurity Collaboration Center, which will promote the secure development, integration, and adoption of AI capabilities within National Security Systems (NSS) and the Defense Industrial Base (DIB).

2. Scaled NSA’s cybersecurity impact against global threats like Russian cyberespionage malware and malicious cyber activity from the People’s Republic of China together with U.S. and international partners and collaborators.

3. Increased enrollments in NSA’s no cost cybersecurity services to Department of Defense contractors by 400%, hardening infrastructure and strengthening the Defense Industrial Base.

For questions or feedback on the report, contact Cybersecurity@nsa.gov or CybersecurityReports@nsa.gov. For any media inquiries, contact MediaRelations@nsa.gov. 
 
Read the 2023 NSA Cybersecurity Year in Review to learn more.

Source: National Security Agency NSA

FORT MEADE, Md. – In response to an increase in cyberattacks to supply chains over the past five years, including targeted attacks of software supply chains, the National Security Agency (NSA) is releasing the Cybersecurity Information Sheet (CSI), “Recommendations for Software Bill of Materials (SBOM) Management.” This CSI provides network owners and operators with guidance for incorporating SBOM use to help protect the cybersecurity supply chain, with a focus on and some additional guidance for National Security Systems (NSS).
 
Effective Software Bill of Materials (SBOM) management leverages identification of software components to mitigate cyber risk and support improved cybersecurity throughout the software’s lifecycle. According to the CSI, SBOM management should proceed in three steps. First, examine and manage risk before acquiring software. Second, analyze vulnerabilities after deploying new software. Third, implement incident management to detect and respond to new software vulnerabilities during vital operations.
 
“As Software Bills of Materials become more integral to Cybersecurity Supply Chain Risk Management standards, best practices will become critical to ensuring efficiency and reliability of the software supply chain,” said Rob Joyce, NSA Cybersecurity Director and Deputy National Manager for the National Security System (NSS). “Network owners and operators we work with count on NSA to advise them on shoring up their defenses.  These guidelines provide the information they need to select the appropriate tools to reduce an organization’s overall risk exposure.”
 
This guidance includes recommended SBOM tool management functionality that supports the Director of the NSA in his role as the National Manager for National Security Systems, namely to provide better Cybersecurity Supply Chain Risk Management (C-SCRM) for NSS owners and operators. The CSI encourages NSS owners to implement a robust C-SCRM SBOM management strategy that ensures the authenticity, integrity, and trustworthiness of software products.
 
The CSI’s contents draw from NSA sources and analysis, as well as NSA’s partners, including the National Institute of Standards and Technology, the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, the National Telecommunications and Information Administration, and the larger cybersecurity community.
 
Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.

---

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

Source: National Security Agency NSA

FORT MEADE, Md. – The National Security Agency (NSA), Federal Bureau of Investigation (FBI), and co-authoring agencies warn that Russian Foreign Intelligence Service (SVR) cyber actors are exploiting a publicly known vulnerability to compromise victims globally, including in the United States and in allied countries. To raise awareness and help organizations identify, protect, and mitigate this malicious activity, the authoring agencies have jointly released the Cybersecurity Advisory (CSA), “Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally.”
 
The CSA details the tactics, techniques, and procedures (TTPs) employed by the SVR actors, technical details of their operation, indicators of compromise (IOCs), and mitigation recommendations for network defenders.

“Russian cyber actors continue taking advantage of known vulnerabilities for intelligence collection,” said Rob Joyce, Director of NSA’s Cybersecurity Directorate. “It is critical to ensure systems are patched quickly, and to implement the mitigations and use the IOCs listed in this report to hunt for adversary persistent access.”

The U.S. Cybersecurity & Infrastructure Security Agency (CISA), the Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) collaborated with NSA and the FBI to assess the SVR cyber actors’ recent malicious activities.

The SVR cyber actors, who are also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, have been targeting Internet-connected JetBrains TeamCity servers globally as early as September 2023. Victims identified in the report include companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games, as well as hosting companies, tool manufacturers, small and large IT companies, and an energy trade association.

The CSA notes that SVR actors exploit a known vulnerability, CVE-2023-42793, to gain initial access to the TeamCity servers and then perform malicious activities, such as escalating privileges, moving laterally, deploying additional backdoors, and taking other steps to ensure persistent, long-term access to the compromised network environments.
 
According to the CSA, software developers use TeamCity servers to manage and automate software development, compilation, testing, and releasing. Access to a TeamCity server can provide malicious actors with access to source code, signing certificates, and the ability to subvert software compilation and deployment processes and conduct malicious supply chain operations.

The agencies recommend organizations implement the mitigations in the advisory to improve their cybersecurity posture based on the SVR cyber actors’ malicious activity. Mitigations listed in the CSA include implementing a patch issued by JetBrains TeamCity, deploying host-based and endpoint protection systems, using multi-factor authentication, and auditing log files.
 
Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.

---

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721