Five Eye Agencies Reveal APT29’s Evolving Cloud Attack Tactics

February 27, 2024NewsroomCloud Security / Threat Intelligence

Cloud Attack Tactics

Cybersecurity and intelligence agencies from the Five Eyes countries released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29.

The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Foreign Intelligence Service (SVR) of the Russian Federation.

Previously blamed for the compromise of the SolarWinds software supply chain, the cyber espionage group has attracted attention in recent months for targeting Microsoft, Hewlett Packard Enterprise (HPE), and other organizations with intent. to pursue their strategic objectives.

“As organizations continue to modernize their systems and move to cloud-based infrastructure, SVR adapts to these changes in the operating environment,” according to security bulletin.

Cybersecurity

This includes-

  • Gaining access to cloud infrastructure through service and dormant accounts through brute-force and password spraying attacks, avoiding exploiting software vulnerabilities in on-premise networks
  • Tokens are used to access victims’ accounts without requiring a password
  • Using password spraying and credential reuse techniques to gain control of personal accounts, use quick bombing to bypass multi-factor authentication (MFA) requirements, and then register their own device to access the network
  • It makes it difficult to detect malicious connections from ordinary users by using residential proxies so that malicious traffic appears as if it originates from IP addresses within the internet service provider (ISP) ranges. are used for residential broadband customers and hide their true origin.

“For organizations moving to cloud infrastructure, the first line of defense against an actor like SVR should be to protect against SVR’s TTPs for initial access,” the agencies said. “Once the SVR gains initial access, the actor is able to deploy highly sophisticated post compromise capabilities such as MagicWeb.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment