Midjourney
Members of the Five Eyes ( FVEY ) intelligence alliance issued a warning today that APT29 Russian Foreign Intelligence Service ( SVR ) hackers are now conducting attacks that target and target their cloud services.
Following the SolarWinds supply-chain attack they orchestrated more than three years ago, APT29  ( also known as Cozy Bear, Midnight Blizzard, and The Dukes ) breached a number of U.S. federal agencies.
In an effort to obtain foreign policy-related data, the Russian cyberspies also targeted governments, embassies, and senior officials in Europe as part of a string of phishing attacks and compromised Microsoft 365 accounts belonging to various NATO countries.
Microsoft’s announcement in January that the Russian Foreign Intelligence Service hacking team hacked the Exchange Online accounts of its executives and employees from other companies in November 2023 was more recent.
At risk are cloud services
The Russian threat group is gradually launching attacks on cloud infrastructure, according to a joint advisory from the U.K.’s National Cyber Security Centre (NCSC), the NSA, CISA, the FBI, and cybersecurity organizations from Australia, Canada, and New Zealand.
The SVR has adapted to these changes in the operating environment as organizations continue to upgrade their systems and transition to cloud-based infrastructure, according to the advisory.
Instead of using their traditional methods of initial access, such as hacking on-premises network software flaws, they must target cloud services themselves.
According to the Five Eyes agencies, APT29 hackers are now gaining access to the cloud environments of their targets using password-scratcher or brute forcing credentials.
Additionally, they’re using dormant accounts, which have n’t been removed after users leave the targeted organizations, to gain access after systemwide password resets.
The initial cloud breach vectors for APT29 include the use of stolen access tokens to hack accounts without credentials, compromised residential routers to proxy their malicious activity, MFA fatigue to bypass multi-factor authentication ( MFA ), and registering their own devices as new devices on the victims ‘ cloud tenants.
How to identify SVR cloud attacks
SVR hackers evade detection in the victims ‘ networks, primarily government and important organizations from Europe, the United States, and Asia, by using sophisticated tools like the MagicWeb malware, which enables them to authenticate as any user within a compromised network.
Network defenders should prioritize mitigating APT29’s initial access vectors when attempting to stop their attacks.
Network defensemen are advised to enable MFA whenever and wherever possible, as well as strong passwords, to use the principle of least privilege for all system and service accounts, to create canary service accounts to speed up compromise and to reduce session lifetimes to prevent the use of unauthorized session tokens.
Additionally, they should only permit device enrollment for authorized devices, and they should only track compromise indicators for security breaches to find the least number of false positives.
The Five Eyes allies said that a first line of defense against an actor like SVR should be” for organizations that have moved to cloud infrastructure” to protect against SVR’s TTPs for initial access.
Organizations will be better positioned to defend against this threat by implementing the mitigations outlined in this advisory.