b2b-daily
Home | IT | Cyber Security

Russian SVR-Linked Threat Actors Exploit Unpatched JetBrains TeamCity Servers in Widespread Attacks

Avatar photo
by Dwaine Evans
December 14, 2023
Image Credit: Pexels
Russian SVR-Linked Threat Actors Exploit Unpatched JetBrains TeamCity Servers in Widespread Attacks
Table of Contents
  1. Exploiting CVE-2023-42793
  2. Actions taken by the SVR
  3. Tactics used by the threat actors
  4. Graphical Proton (VaporRage) and Command-and-Control (C2) communication channels
  5. Scope and impact of the attacks
  6. Attribution of the attacks
  7. Additional tactics used by Seashell Blizzard
  8. Microsoft's detection of the pro-Russia influence actor

In recent months, widespread attacks targeting unpatched JetBrains TeamCity servers have been observed, with threat actors affiliated with the Russian Foreign Intelligence Service (SVR) identified as the perpetrators. These cyber intrusions, which have been ongoing since September 2023, highlight the increasing sophistication and adaptability of Russian cyber and influence operators throughout the war in Ukraine.

Exploiting CVE-2023-42793

One of the key vulnerabilities exploited by the SVR-linked threat actors is CVE-2023-42793, a critical security flaw with a CVSS score of 9.8. This vulnerability enables unauthenticated attackers to achieve remote code execution on affected systems. By leveraging this vulnerability, the attackers are able to gain initial access to the compromised TeamCity servers and initiate their malicious operations.

Actions taken by the SVR

Once the threat actors gain initial access through the TeamCity CVE, they proceed to escalate their privileges, move laterally within the compromised network environments, and deploy additional backdoors. These steps are taken to ensure long-term and persistent access to the compromised systems, allowing the attackers to carry out their malicious activities undetected.

Tactics used by the threat actors

Following a successful initial access, the threat actors proceed with various tactics to maximize their impact. This includes conducting extensive reconnaissance to gather valuable information about the compromised network, escalating privileges to gain further control over the system, moving laterally within the network to access additional resources, and exfiltrating sensitive data. To evade detection, the threat actors employ an open-source tool called EDRSandBlast, which helps them remain undetected by security measures.

Graphical Proton (VaporRage) and Command-and-Control (C2) communication channels

The threat actors leverage malware called GraphicalProton, also known as VaporRage, as part of their attack strategy. One unique aspect of this malware is its use of OneDrive as a primary command-and-control (C2) communication channel. By utilizing cloud storage services such as OneDrive, the attackers can maintain communication with the compromised systems, allowing them to send commands and receive data without raising suspicion. In cases where OneDrive is inaccessible, the threat actors have also employed Dropbox as a fallback mechanism for C2 communication.

Scope and impact of the attacks

The attacks have had a significant global impact, with as many as 100 devices across the United States, Europe, Asia, and Australia being compromised. While the attacks are suspected to be opportunistic in nature, the widespread nature suggests a calculated and coordinated effort by the threat actors to maximize the potential impact of their actions.

Attribution of the attacks

The intrusions have been attributed to two nation-state groups known as Aqua Blizzard (formerly Actinium) and Seashell Blizzard (formerly Iridium). These groups are affiliated with the Russian SVR and have been actively involved in carrying out cyber espionage operations targeting various sectors and organizations.

Additional tactics used by Seashell Blizzard

In addition to the TeamCity CVE exploitation, Seashell Blizzard has been observed taking advantage of pirated Microsoft Office software as a means to distribute the DarkCrystalRAT (aka DCRat) backdoor. By leveraging the popularity of pirated software, the threat actors gain initial access to compromised systems, enabling them to conduct further malicious activities and establish control over the network.

Microsoft’s detection of the pro-Russia influence actor

Microsoft has also identified a Russia-affiliated influence actor named Storm-1099, also known as Doppelganger. This actor has been carrying out sophisticated pro-Russia influence operations targeting international supporters of Ukraine since the spring of 2022. Through social media manipulation, disinformation campaigns, and other tactics, Storm-1099 aims to shape narratives and sway public opinion in favor of Russia’s interests.

The widespread attacks on unpatched JetBrains TeamCity servers by SVR-linked threat actors highlight the growing sophistication of Russian cyber and influence operations. The exploitation of vulnerabilities, the use of advanced malware, and the strategic targeting of global networks demonstrate the adaptability and persistence of these threat actors. As organizations and individuals face heightened cybersecurity risks, it becomes crucial to prioritize patching vulnerabilities, implementing strong security measures, and remaining vigilant against the evolving tactics of malicious actors.

Digital TransformationInformation Security

Explore more

Resilience Becomes the New Velocity for DevOps in 2026
December 19, 2025

With extensive expertise in artificial intelligence, machine learning, and blockchain, Dominic Jainy has a unique perspective on the forces reshaping modern software delivery. As AI-driven development accelerates release cycles to unprecedented speeds, he argues that the industry is at a critical inflection point. The conversation has shifted from a singular focus on velocity to a more nuanced understanding of system

Can a Failed ERP Implementation Be Saved?
December 19, 2025

The ripple effect of a malfunctioning Enterprise Resource Planning system can bring a thriving organization to its knees, silently eroding operational efficiency, financial integrity, and employee morale. An ERP platform is meant to be the central nervous system of a business, unifying data and processes from finance to the supply chain. When it fails, the consequences are immediate and severe.

When Should You Upgrade to Business Central?
December 19, 2025

Introduction The operational rhythm of a growing business is often dictated by the efficiency of its core systems, yet many organizations find themselves tethered to outdated enterprise resource planning platforms that silently erode productivity and obscure critical insights. These legacy systems, once the backbone of operations, can become significant barriers to scalability, forcing teams into cycles of manual data entry,

Is Your ERP Ready for Secure, Actionable AI?
December 19, 2025

Today, we’re speaking with Dominic Jainy, an IT professional whose expertise lies at the intersection of artificial intelligence, machine learning, and enterprise systems. We’ll be exploring one of the most critical challenges facing modern businesses: securely and effectively connecting AI to the core of their operations, the ERP. Our conversation will focus on three key pillars for a successful integration:

Trend Analysis: Next-Generation ERP Automation
December 19, 2025

The long-standing relationship between users and their enterprise resource planning systems is being fundamentally rewritten, moving beyond passive data entry toward an active partnership with intelligent, autonomous agents. From digital assistants to these new autonomous entities, the nature of enterprise automation is undergoing a radical transformation. This analysis explores the leap from AI-powered suggestions to true, autonomous execution within ERP