Russian Hackers Shift To Cloud Attacks Us And Allies Warn
Image: Midjourney
Members of the Five Eyes (FVEY) intelligence alliance warned today that APT29 Russian Foreign Intelligence Service (SVR) hackers are now switching to attacks targeting their victims’ cloud services.
APT29 (also tracked as Cozy Bear, Midnight Blizzard, The Dukes) breached multiple U.S. federal agencies following the SolarWinds supply-chain attack they orchestrated more than three years ago.
The Russian cyberspies also compromised Microsoft 365 accounts belonging to various entities within NATO nations to obtain foreign policy-related data and targeted governments, embassies, and senior officials throughout Europe associated in a string of phishing attacks.
More recently, Microsoft confirmed in January that the Russian Foreign Intelligence Service hacking group breached the Exchange Online accounts of its executives and users from other organizations in November 2023.
Cloud services under attack
Today, a joint advisory issued by the U.K.’s National Cyber Security Centre (NCSC), the NSA, CISA, the FBI, and cybersecurity agencies from Australia, Canada, and New Zealand warned that the Russian threat group is gradually moving to attacks against cloud infrastructure.
“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment,” the advisory reads.
“They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves.”
As the Five Eyes agencies found, APT29 hackers are now gaining access to their targets’ cloud environments using access service account credentials compromised in brute forcing or password spraying attacks.
Additionally, they’re using dormant accounts that have never been removed after users left the targeted organizations, also enabling them to regain access after systemwide password resets.
APT29’s initial cloud breach vectors also include the use of stolen access tokens that enable them to hijack accounts without using credentials, compromised residential routers to proxy their malicious activity, MFA fatigue to bypass multi-factor authentication (MFA), and registering their own devices as new devices on the victims’ cloud tenants
How to detect SVR cloud attacks
After gaining initial access, SVR hackers use sophisticated tools like the MagicWeb malware (which allows them to authenticate as any user within a compromised network) to evade detection in the victims’s networks, mainly government and critical organizations spanning Europe, the United States, and Asia.
Hence, mitigating APT29’s initial access vectors should be at the top of the list for network defenders when working towards blocking their attacks.
Network defenders are advised to enable MFA wherever and whenever possible, coupled with strong passwords, to use the principle of least privilege for all system and service accounts, to create canary service accounts to detect compromise quicker, and to reduce session lifetimes to block the use of stolen session tokens.
They should also only allow device enrollment for authorized devices and monitor for indicators of compromise that would yield the least amount of false positives when monitoring for security breaches.
“For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to protect against SVR’s TTPs for initial access,” the Five Eyes allies said.
“By following the mitigations outlined in this advisory, organizations will be in a stronger position to defend against this threat.”