Members of the Five Eyes intelligence alliance issued a stern caution regarding APT29 Russian Foreign Intelligence Service (SVR) hackers, notorious for their involvement in the SolarWinds supply-chain attack three years ago. These hackers, also known as Cozy Bear or Midnight Blizzard, have escalated their tactics by targeting victims' cloud services.
The SVR has demonstrated its capability to breach multiple U.S. federal agencies and compromise Microsoft 365 accounts within NATO nations, exploiting cloud-based infrastructure to obtain sensitive foreign policy-related data. In a recent incident, Microsoft confirmed the breach of Exchange Online accounts in November 2023.
The joint advisory from the UK's NCSC, NSA, CISA, FBI, and cybersecurity agencies in Australia, Canada, and New Zealand reveals that APT29 is evolving its strategies to infiltrate cloud environments. The group has shifted focus from exploiting on-premises network vulnerabilities to directly targeting cloud services.
APT29 employs various methods to gain access, including brute forcing, password spraying attacks, and exploiting dormant accounts. They utilize stolen access tokens, compromised residential routers, and exploit MFA fatigue to bypass multi-factor authentication.
Once inside, APT29 employs sophisticated tools like MagicWeb malware to navigate networks undetected, particularly targeting government and critical organizations globally.
To combat SVR threats, network defenders are urged to implement robust security measures such as enabling MFA, enforcing strong passwords, and adopting the principle of least privilege. They should create canary service accounts for early compromise detection and reduce session lifetimes to thwart the use of stolen session tokens.
Organizations utilizing cloud infrastructure must fortify defences against SVR's tactics to mitigate the risk of breaches. By adhering to the advisory's recommendations, they can bolster their resilience against these sophisticated cyber threats.