Members of the Five Eyes (FVEY) intelligence alliance sounded the alarm today as APT29, a group of Russian Foreign Intelligence Service (SVR) hackers, shifts their focus to attacking victims' cloud services. This group, also known as Cozy Bear, Midnight Blizzard, or The Dukes, gained infamy for breaching multiple U.S. federal agencies in the SolarWinds supply-chain attack over three years ago.
Their targets expanded to include Microsoft 365 accounts of various entities within NATO nations and governments, embassies, and senior officials in Europe, employing a series of phishing attacks. Recently, Microsoft confirmed a breach of Exchange Online accounts by this Russian hacking group in November 2023.
Cloud Services Under Attack
In a joint advisory by the U.K.'s National Cyber Security Centre (NCSC), the NSA, CISA, the FBI, and cyber security agencies from Australia, Canada, and New Zealand, the warning is clear: the SVR is increasingly targeting cloud infrastructure as organisations transition to modern systems. APT29 has adapted its tactics, moving beyond exploiting software vulnerabilities in on-premises networks to directly targeting cloud services themselves. Utilising compromised access service account credentials through brute forcing or password spraying attacks, along with dormant accounts left unchecked after user departures, APT29 gains access and even retains it after systemwide password resets. They also employ stolen access tokens, compromised residential routers, MFA fatigue, and device registration to penetrate victims' cloud environments.
How to Detect SVR Cloud Attacks
After initial access, SVR hackers employ sophisticated tools like MagicWeb malware to authenticate as any user within a compromised network, making detection challenging, especially in government and critical organisations across Europe, the United States, and Asia. To counter APT29's initial access vectors, network defenders are advised to prioritise measures such as enabling MFA with strong passwords, applying the principle of least privilege, creating canary service accounts for quick compromise detection, and reducing session lifetimes to thwart stolen session token use.
Additionally, they should permit device enrolment only for authorised devices, monitor for compromise indicators yielding minimal false positives, and implement mitigation strategies outlined in the advisory. By doing so, organisations can bolster their defences against SVR's evolving tactics and safeguard their cloud infrastructure effectively.
