The FBI and Polish counterintelligence detected the Russian operation. It could have impacted supply chains
The Polish SKW and CERT, together with the Americans, the British and Microsoft, detected and disabled the operation conducted by the Russians in cyberspace.
The Russian Foreign Intelligence Service (SVR) is using the CVE-2023-42793 vulnerability for wide-ranging activities directed against JetBrains TeamCity software servers, it was reported on the government website.
Such activities were detected jointly by the Federal Bureau of Investigation (FBI), the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the British National Cyber Security Center (UK NCSC), the Polish Military Counterintelligence Service (SKW) and CERT Polska. It turned out that the Russian intelligence service (SVR) is using the CVE-2023-42793 vulnerability for wide-ranging activities directed against JetBrains TeamCity software servers. The Russians have been attacking various institutions in this way since the end of September 2023.
Russian intelligence attacks in cyberspace
JetBrains TeamCity software is used to manage and automate the process of compiling, building, testing and releasing software.
Access to the TeamCity server could provide access to source code, cryptographic certificates, and could be used to influence software development – which in turn could allow manipulation of the software supply chain.
“While SVR conducted similar actions against SolarWinds and its customers in 2020, the agencies behind the publication have not yet observed attempts to exploit access gained through the TeamCity CVE in a similar manner. However, escalation of privileges, expansion of access within the network, placement of additional tools in IT systems and other actions aimed at guaranteeing long-term, difficult-to-detect access to compromised systems were observed,” we read in the statement.
SKW and CERT.PL thanked private entities, in particular Microsoft – after being informed about the detected activities, it disabled all identified service accounts used by SVR as communication and management channels.