The National Security Agency and Federal Bureau of Investigation have issued an alert about hackers affiliated with the Russian Foreign Intelligence Service (SVR) exploiting a vulnerability in TeamCity servers to access sensitive information and disrupt supply chains.
TeamCity is a build management and continuous integration server system developed by JetBrains, which is used by thousands of companies in their tech stack, such as Stack Exchange, ebay, Apple, and Gearbox Entertainment.
According to the alert, hostile SVR cyber actors such as Advanced Persistent Threat 29, the Dukes, CozyBear, and NOBELIUM “have been targeting Internet-connected JetBrains TeamCity servers globally as early as September 2023. Victims identified in the report include companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games, as well as hosting companies, tool manufacturers, small and large IT companies, and an energy trade association.”
The Cybersecurity Advisory warned that these hacker groups “gain initial access to the TeamCity servers and then perform malicious activities, such as escalating privileges, moving laterally, deploying additional backdoors, and taking other steps to ensure persistent, long-term access to the compromised network environments.”
“Access to a TeamCity server can provide malicious actors with access to source code, signing certificates, and the ability to subvert software compilation and deployment processes and conduct malicious supply chain operations,” it added.