A recent joint advisory by CISA [5], the UK NCSC [5] [7] [8], and international partners highlights the evolving tactics of Russian SVR cyber actors [5], also known as APT29 or Cozy Bear [5] [8].
Description
The group has shifted its focus to infiltrating cloud environments and exploiting vulnerabilities since September 2023. SVR actors have been observed using techniques such as password spraying, brute forcing [1] [5] [7], targeting dormant accounts without multi-factor authentication, and using cloud-based token authentications and MFA bombing to gain access [3]. Once inside a target’s cloud environment [1], they maintain a presence using system-issued tokens or registered devices. SVR actors have also been using residential proxies to obscure their access [1]. Organizations are advised to implement robust cybersecurity measures [5], including MFA [5], regular password resets [5], system account management [1], short token validity time periods [1], conditional access policies [1], device enrollment [1], strong password enforcement [1], and system updates to defend against SVR’s tactics. The SVR actors have expanded their targeting to include sectors such as aviation [1], education [1] [2] [3] [7], law enforcement [1] [2] [3], government financial departments [1] [2], and military organizations [1] [2]. They have also been involved in supply chain compromises [1], targeting COVID-19 vaccine development [1], and breaching Democratic National Committee communications [1]. Network defenders and organizations are encouraged to review the advisory for recommended mitigations [6]. For more information on APT29 [6], visit CISA’s Russia Cyber Threat Overview and Advisories page [6]. Additionally, guidance on cloud security best practices can be found in CISA’s Secure Cloud Business Applications (SCuBA) Project [6]. Basic cloud security measures can help defend against these sophisticated actors [4], such as regularly evaluating and disabling dormant accounts and implementing more stringent device-enrollment policies [4].
Conclusion
It is crucial for organizations to take proactive steps to defend against the evolving tactics of Russian SVR cyber actors. By implementing robust cybersecurity measures and staying informed about recommended mitigations, organizations can better protect their cloud environments and sensitive data. The impact of these cyber threats extends across various sectors, emphasizing the importance of vigilance and preparedness in the face of sophisticated adversaries.
References
[1] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3686651/russian-cyber-actors-target-cloud-hosted-infrastructure/
[2] https://www.assurantcyber.com/blog/aa24-057a/
[3] https://www.meritalk.com/articles/cisa-warns-of-russian-hacker-tactics-against-cloud-systems/
[4] https://cyberscoop.com/five-eyes-nations-warn-of-evolving-russian-cyberespionage-practices-targeting-cloud-environments/
[5] https://www.infosecurity-magazine.com/news/cisa-alert-apt29s-cloud-tactics/
[6] https://www.redpacketsecurity.com/cisa-cisa-ncsc-uk-and-partners-release-advisory-on-russian-svr-actors-targeting-cloud-infrastructure-27-02-2024/
[7] https://www.techtarget.com/searchSecurity/news/366571396/CISA-APT29-targeting-cloud-accounts-for-initial-access
[8] https://cybermaterial.com/joint-advisory-warns-of-svr-targets-cloud/
