Russia’s SVR spy agency scanned for Microsoft Exchange Server bug, UK and US say

It’s the third time in a month that U.S. officials have published information on hacking techniques allegedly used by the SVR.
(Photo by John Smith/VIEWpress/Getty Images)

After pulling off a sweeping breach of U.S. government networks last year, Russia’s SVR foreign intelligence agency has been scanning the internet for a vulnerability in Microsoft software previously exploited by Chinese spies, British and American security agencies said Friday.

It’s the third time in a month that U.S. security agencies have published information on hacking techniques allegedly used by the SVR, the Russian spy agency accused of exploiting software made by SolarWinds and other vendors to breach at least nine U.S. federal agencies. The discovery underscores how a bug in widely used technology can be valuable to spy agencies around the world, which bank on the possibility that some of the organizations they target fail to promptly update their software.

The alert is part of a press from the U.S. and its allies against the same hacking group that broke into the Democratic National Committee ahead of the 2016 U.S. election. The goal is to blunt the impact of current and future spying operations of one of Russia’s most formidable hacking units.

The latest advisory — published by the U.K.’s National Cyber Security Center, the FBI, National Security Agency and the Cybersecurity and Infrastructure Security Agency — did not elaborate on what the SVR might have done after finding vulnerable Microsoft Exchange Server software. But it’s only the latest evidence of the fallout after the flaw became public two months ago.


A Chinese government-backed hacking group was among the first to use the vulnerability to steal emails from U.S. targets, according to Microsoft. Tens of thousands of U.S. businesses and state and local governments were reportedly vulnerable to that flaw and others in Exchange Server, resulting in part in National Security Council meetings focused on how to update the software to mitigate spies’ ability to gather intelligence.

The U.K.-U.S. analysis also sheds light on previous compromises linked with the SVR and some of the agency’s recent hacking techniques.

The SVR hackers, for example, used their access to the network of email security firm Mimecast “to authenticate a subset of Mimecast’s products with customer systems” and gain full access to a victim’s email inbox, according to the advisory. Mimecast revealed in March that the hackers stole the firm’s source code.

The Russian spies have also on multiple occasions used a “red teaming” tool known as Sliver, which cybersecurity professionals typically use to test clients’ defenses, in an apparent attempt to ensure access to victim networks, according to the advisory.

U.S. officials have previously expressed concern that, since at least 2018, the SVR’s hackers have targeted email-based cloud computing resources to cover their tracks. Some of those same techniques were central to the success of the campaign that exploited SolarWinds software.


In a statement to CyberScoop on Friday, the FBI said it observed the SVR modify mailbox permissions on a victim network in 2018, which allowed the spies “additional access vectors to sensitive mailboxes.”

“For many of the attacks against cloud environments, the SVR took advantage of misconfigurations or weaknesses in customer implementations of their cloud environment,” the FBI said. “By taking advantage of these implementation errors, the SVR was able to accomplish their goals without the use of malware which may have been detected by end-point monitoring systems.”

The SVR’s alleged hacking has been a significant source of tension in U.S.-Russian relations in the first months of the Biden administration.

In blaming the SVR for the hacking last month, U.S. officials expelled 10 Russia diplomatic personnel and sanctioned Russian technology companies for allegedly supporting Moscow’s cyber-espionage. The Russian government denied the allegations and responded by expelling 10 U.S. diplomats.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts