The Five Eyes nations’ cybersecurity and intelligence agencies have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29.
The hacking group, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium) and The Dukes, is believed to be affiliated with the Foreign Intelligence Service (SVR) of the Russian Federation.
Previously blamed for compromising the SolarWinds software supply chain, the cyber espionage group has attracted attention in recent months for targeting Microsoft, Hewlett Packard Enterprise (HPE) and other organizations with the aim of furthering its goals strategic.
“As organizations continue to modernize their systems and move to cloud-based infrastructures, the SVR has adapted to these changes in the operating environment,” according to the security bulletin.
These include –
- Gain access to cloud infrastructure via service and dormant accounts using brute force attacks and password spraying, while avoiding exploiting software vulnerabilities in local networks
- Using tokens to access victims’ accounts without the need for a password
- Leverage password spraying and credential reuse techniques to take control of personal accounts, use prompt bombing to bypass multi-factor authentication (MFA) requirements, and then enroll your device to gain network access
- Make it harder to distinguish malicious connections from typical users by using residential proxies to make malicious traffic appear to come from IP addresses within the ranges of Internet service providers (ISPs) used for residential broadband customers and hide their true origins
“For organizations that have moved to cloud infrastructure, the first line of defense against an actor like SVR should be to protect themselves from SVR’s TTPs for initial access,” the agencies said. “Once the SVR gains initial access, the actor is able to implement highly sophisticated post-compromise capabilities such as MagicWeb.”