US, UK and Polish cybersecurity agencies and intelligence services have warned that a threat actor linked to the Russian Foreign Intelligence Service (SVR) has been exploiting a vulnerability in JetBrains’ TeamCity CI/CD software platform to conduct Solarwinds-style cyberespionage operations since September 2023.
“If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations,” the agencies said in a joint advisory.
The hacker group tracked as APT29 aka the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, is best known for breaching multiple US federal agencies following the SolarWinds supply-chain attack that took place in 2020. In this attack, the threat actor trojanized SolarWinds Orion business software updates to breach targets.
In this recent campaign, the group is exploiting CVE-2023-42793, an authentication bypass vulnerability in TeamCity that allows remote code execution. However, unlike the Solarwinds hack, the threat actor did not similarly use access to the software, but instead leveraged it to escalate its privileges, move laterally, deploy additional backdoors and establish long-term access to the victim network.
The agencies said they identified a few dozen compromised companies in the US, Europe, Asia, and Australia, and are aware of over a hundred compromised devices. The victims include an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT companies.