Five Eyes Alliance Warns of Increase in APT29 Russian Foreign Intelligence Service Attacks on Cloud Services

In a joint advisory issued by the members of the Five Eyes (FVEY) intelligence alliance, including the U.K.’s National Cyber Security Centre (NCSC), the NSA, CISA, the FBI, and cybersecurity agencies from Australia, Canada, and New Zealand, it was revealed that APT29 Russian Foreign Intelligence Service (SVR) hackers have shifted their focus to targeting victims’ cloud services. This shift marks a new phase in the cyber threat landscape, with the Russian threat group adapting to the modernization of systems and the migration to cloud-based infrastructure by organizations.

The APT29 group, also known as Cozy Bear, Midnight Blizzard, and The Dukes, gained notoriety for breaching multiple U.S. federal agencies in the aftermath of the SolarWinds supply-chain attack that they orchestrated over three years ago. During their campaign, they also compromised Microsoft 365 accounts belonging to entities within NATO nations to steal foreign policy-related data and conducted phishing attacks targeting governments, embassies, and senior officials across Europe.

More recently, Microsoft confirmed that APT29 hackers breached Exchange Online accounts of executives and users from other organizations in November 2023, further highlighting the group’s relentless cyber espionage activities.

The Five Eyes agencies discovered that APT29 hackers are now exploiting vulnerabilities in cloud infrastructure, gaining access to their targets’ cloud environments through compromised access service accounts obtained through brute force or password spraying attacks. They are also utilizing dormant accounts left in targeted organizations, enabling them to re-access systems even after password resets. Additionally, the hackers are leveraging stolen access tokens, compromised residential routers for proxying malicious activity, MFA fatigue to bypass multi-factor authentication, and registering their own devices as new devices on victims’ cloud tenants to establish initial access.

To combat SVR cloud attacks, network defenders are urged to implement measures such as enabling MFA and strong passwords, following the principle of least privilege for system and service accounts, creating canary service accounts for quicker compromise detection, and reducing session lifetimes to prevent the use of stolen session tokens. Monitoring for indicators of compromise and implementing safeguards against SVR’s tactics, techniques, and procedures (TTPs) for initial access are essential steps to enhance defense against this evolving cyber threat.

The advisory emphasized the importance of organizations protecting themselves against APT29’s tactics to strengthen their defense posture and mitigate the risk of falling victim to SVR’s cyber espionage activities. By following the recommended mitigations outlined in the advisory, organizations can enhance their resilience against sophisticated cyber threats and safeguard their cloud infrastructure from compromise.

As cyber threats continue to evolve and threat actors like APT29 adapt their techniques to target cloud services, proactive defense measures and collaboration among international intelligence alliances will be crucial in countering the growing cyber threat landscape. The Five Eyes alliance’s warning serves as a reminder of the ongoing challenges posed by sophisticated threat actors and the need for organizations to remain vigilant in the face of evolving cyber threats.

Source link