The Federal Bureau of Investigation (FBI), US Cybersecurity & Infrastructure Security Agency (CISA), National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.
Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations. Although the SVR executed such an operation against SolarWinds and its customers in 2020, the authoring agencies are currently unaware of any attempts by the SVR to use the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.
Software supply chain compromise is one of the most insidious, hardest to detect and mitigate threats. Conducting such activity requires dedicating significant resources, access and R&D effort. If successful, it may allow for deploying a malicious update which, in the simplest scenario, could execute adversary tools resulting in enabling access to devices or whole networks. In more complicated scenario, access to the build pipeline could allow for compromising compiled source code and for introduction of almost indetectable modification to software – such as minuscule changes to cryptography protocols that could enable decryption of the protected data. Supply chain compromise can easily have unforeseen consequences, spill-over and result in enormous damages for the economy, civilian organizations or public safety.
SKW, working together with CERT.PL, United States of America Intelligence Community, United Kingdom Intelligence Community, in cooperation with private entities have countered and disrupted Russian attempt to gain access to software supply chain of dozens of entities globally. Joint actions have enabled identification of the campaign, victims and also tools and techniques utilized by the SVR, disabling infrastructure and neutering tools. These were neither first nor will be last actions taken by Intelligence Community of like-minded countries aimed at protecting allied countries, civilian infrastructure, private organizations and public safety against irresponsible, indiscriminate, unproportional actions of Russian Federation.
To bring Russia’s actions to public attention, the authoring agencies are providing information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable IOCs,and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious actions. The authoring agencies recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and contact appropriate national CSIRT.
SKW and CERT.PL wish to acknowledge cooperation, support and coordination with the private cybersecurity companies. Once again, public-private partnership is the cornerstone of defeating cyberthreats. SKW wishes to especially thank Microsoft for outstanding cooperation. Once notified, Microsoft disabled all known accounts abused by this actor for command and control.
Joint CSA authored by The Federal Bureau of Investigation (FBI), US Cybersecurity & Infrastructure Security Agency (CISA), National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) can be accessed here: https://www.gov.pl/attachment/f111510e-f9b6-40e7-b3f0-7cae28c8ff38