A joint advisory from the Five Eyes nations ‘ cybersecurity and intelligence services details the evolving strategies of the Russian state-sponsored threat actor known as APT29.
According to reports, the hacking outfit is connected to the Russian Federation’s Foreign Intelligence Service ( SVR ) and is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard ( previously Nobelium ), and The Dukes.
The cyber espionage group targeted Microsoft, Hewlett-Packard Enterprise ( HPE), and other organizations in recent months, a move that was previously linked to SolarWinds software’s supply chain compromise.
According to the security bulletin,” The SVR has adapted to these changes in the operating environment as organizations continue to modernize their systems and move to cloud-based infrastructure.”
Among them are:
- avoiding exploiting software vulnerabilities in on-premise networks by utilizing brute force and password spraying attacks to gain access to cloud infrastructure through service and dormant accounts.
- Using tokens to gain access to victims ‘ accounts without requiring a password
- using password-spraying and credential reuse techniques to elude multi-factor authentication ( MFA ) requirements, using prompt bombing and password-spraying to eavesdrop on users, and then registering their own device to access the network.
- Making it more difficult to tell apart malicious connections from regular users by using residential proxy services to disguise the malicious traffic as if it were coming from IP addresses used by residential broadband customers as internet service provider ( ISP) ranges and hide their true origins
The first line of defense against an actor like SVR should be to protect against SVR’s “TTPs for initial access,” according to the organizations. The actor can use highly advanced post compromise capabilities like MagicWeb once the SVR gains initial access.