The Russian threat group known to researchers by several names, including APT29, Midnight Blizzard, the Dukes, or Cozy Bear, is broadening its targets to cloud-based services, warn the Five Eyes nations that share intelligence.
In a report issued Monday, the partners — including the U.S., the U.K., Canada, Australia and New Zealand — said APT29 is expanding its targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations. And it’s going after the cloud services these organizations have.
“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment,” the report explains.
Until recently, this group focused mainly on governmental, think tank, healthcare, and energy targets for intelligence gain.
But arguably it’s best known for compromising the software update mechanism of SolarWinds’ Orion network management suite in 2019 to spread malware.
APT29 is a cyber espionage group, “almost certainly part of the SVR, an element of the Russian intelligence services,” the report says.
In previous SVR campaigns, the actors successfully used brute forcing and password spraying to access service accounts that run and manage applications and services, the report says.
In attacking cloud services, SVR actors have been seen using system-issued tokens to access their victims’ accounts, without needing a password.
The SVR successfully bypasses password authentication on personal accounts using password spraying and credential reuse. SVR actors have also then bypassed MFA through a technique known as “MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification, the report says.
Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own devices as new devices on the cloud tenant. If device validation rules are not set up, SVR actors can successfully register their own devices and gain access to the network.
Another SVR tactic is the use of residential proxies, which make traffic appear to originate from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and hide the true source. This can make it harder to distinguish malicious connections from typical users, the report says.
A strong baseline of cyber security fundamentals can help defend from such actors, the report says. For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to lower the odds of an initial network compromise.