Russian intelligence caught exploiting major software vulnerability, worldwide users at risk

JetBrains TeamCity software is involved in managing and automating various processes, including software testing and release. As such, access to its associated servers could offer a route to obtaining source codes and cryptographic certificates, or potentially manipulating the software being developed.

Put simply, the Russians were attempting to embed harmful changes into software, which could then be distributed to worldwide users through mechanisms such as updates. According to findings, this SVR campaign has been ongoing since September of this year.

The campaign against JetBrains TeamCity by the Russians was detected owing to collaboration among the Federal Bureau of Investigation (FBI), the American Cybersecurity and Infrastructure Agency (CISA), the National Security Agency (NSA), the British National Cyber Security Center (UK NCSC), the Polish Military Counterintelligence Service (SKW) and CERT Poland.

"This demonstrates the importance of cooperation in cybersecurity and highlights Poland's key role in it. We're publishing our analysis to support organizations in detecting threats and fortifying their own networks. Furthermore, we aim to empower cybersecurity industry entities to combat Russian activities more effectively," stated Sebastian Kondraszuk, the head of CERT Poland.

CERT Poland experts note that one of the most challenging threats to detect and counter is the compromising of the software supply chain. The successful disruption of the campaign initiated in September is well-received, given that these types of attacks typically involve the attacker dedicating significant resources – not just days, but weeks for acquiring access, doing groundwork, and planning.

Successful hacker attacks could eventually lead to the triggering of an infected patch that deploys foreign service tools, thereby gaining access to individual devices or even entire systems. In another scenario, subtle modifications may be introduced into the source code, enabling, for instance, network traffic reading.

Services and organizations focused on monitoring Russian activities recommend that all entities using JetBrains software (if they have yet to implement timely updates or other exploitative preventive mechanisms) should assume potential SVR access to their IT systems and start the threat detection process based on the provided guidelines.