US government is being targeted by the Russian SVR aka APT29

Threat Advisories

US government is being targeted by the Russian SVR aka APT29


For a detailed advisory, download the pdf file here.

Russian SVR is following their predictable trend of exploiting publicly known vulnerabilities against US government to get authenticated access of critical infrastructures. They are targeting COVID-19 research facilities by exploiting VMware Zero-Day vulnerability and deploying WellMess Malware.

The Techniques used by the APT29 include:

  • Exploiting public-facing applications (T11902)
  • Leveraging external remote services (T1133)
  • Compromising supply chains (T1195)
  • Using valid accounts (T1078)
  • Exploiting software for credential access (T1212)
  • Forging web credentials: SAML tokens (T1606.002)

The 5 vulnerabilities targeted are:

  • CVE-2018-13379 Fortinet
  • CVE-2019-9670 Zimbra
  • CVE-2019-11510 Pulse Secure
  • CVE-2019-19781 Citrix
  • CVE-2020-4006 VMware

Actor Details

Name: APT 29 
Known as: Cozy Bear, The Dukes, Group 100, Yttrium, Iron Hemlock, Minidionis, CloudLook, Grizzly Steppe, CozyCar, CozyDuke 
Origin: Russia
Targeted Locations: Austria, Brazil, China, France, Germany, Hungary, Japan, Mexico, Netherlands, New Zealand, Norway, Portugal, South Korea, Spain, Turkey, Ukraine, United States, Uzbekistan
Targeted Sectors: Academic, Aerospace, Energy, Extractive, Financial Services, Government, Industrials, Engineering, Insurance, Media, NGOs, Nonprofits Oil and Gas, Pharmaceuticals, Technology

Vulnerability Details

Download the pdf file here to read the Vulnerability details, including CVE ID, Affected Versions, Affected CPE, Vulnerability Description and CWE ID.

Patch Links