Cyber spies are reading and exploiting government cybersecurity advisories. Last Friday, a joint advisory was issued by the UK National Cyber Security Centre, the US Cybersecurity Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI. It stated that Russia's foreign intelligence service, the SVR, whose cybercrime organizations are said to have carried out many attacks including the one against SolarWinds, has read the previous advisory from July 2020 that detailed the various vulnerabilities and ways of dealing with them, and changed its attack policy accordingly.
"SVR cyber operators appear to have reacted to this report by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders," the advisory said. "These changes included the deployment of the open-source tool Sliver in an attempt to maintain their accesses. The group has also been observed making use of numerous vulnerabilities, most recently the widely reported Microsoft Exchange vulnerability."
Updated security guidance was published at the end of the document. It remains to be seen whether the attackers will change their tactics again following the latest advisory, and future ones, in a kind of never-ending dance.