The Russian military intelligence unit [4], CozyBear [1] [2] [4] [7], also known as the Dukes and APT29 [4], has been actively exploiting a vulnerability in JetBrains TeamCity software [1] [4]. This software is widely used for managing and automating software building [4], testing [4], and releasing [1] [4].


The Cybersecurity and Infrastructure Security Agency (CISA) [4], along with the FBI [4], the National Security Agency (NSA) [4], and international partners [4], have issued a warning about this exploitation [4]. The threat actors have been targeting servers hosting TeamCity software for the past two months [4], with a focus on technology companies [4], foreign governments [4], and academic institutions [4].

The vulnerability being exploited is known as CVE-202342793 [4], and if compromised [4], it could provide malicious actors with access to source code [4], signing certificates [1] [2] [4] [7], and the ability to manipulate software compilation and deployment processes [1] [4]. The advisory also highlights the potential for threat actors to conduct supply chain operations by manipulating the developer’s source code [4].

The Polish Military Counterintelligence Service (SKW) and CERT Polska have worked with intelligence agencies and private entities to disrupt the Russian attempts [7]. Organizations are advised to apply patches and workarounds [7], assume compromise if not done so [7], and conduct threat hunting activities [7]. The joint report by FBI [7], CISA [6] [7], NSA [7], SKW [7], CERT.PL [7], and NCSC provides more information and recommendations for incident response [7].

The FBI [4], along with Polish authorities [5], disrupted a cyber operation conducted by the Russian APT29 group [5], also known as SVR [5]. The operation involved exploiting a vulnerability in JetBrains TeamCity (CVE-202342793) to target various institutions [5]. The attack allowed the hackers to gain access to source code [5], potentially exposing sensitive information and enabling the insertion of backdoors [5].

The joint effort of Polish [5], American [5], British [5], and Microsoft teams successfully detected [5], analyzed [5], and neutralized the Russian operation [5]. Users of JetBrains TeamCity who have not applied the necessary updates are advised to assume they have been compromised and conduct a thorough analysis of their infrastructure [5]. The campaign targeted a wide range of organizations [5], highlighting the importance of implementing security measures [5].


The collaborative actions led to the identification of the campaign [5], its victims [3] [5] [6], and the techniques used by SVR [5], as well as the blocking of their infrastructure and the neutralization of their tools [5]. These actions demonstrate the ongoing efforts of allied agencies to protect national [5], public [1] [5] [6], and private security from Russia’s unreasonable and disproportionate actions [5].