



The Russian threat group known to researchers by several names, including APT29, Midnight Blizzard, the Dukes and Cozy Bear, is expanding its targets to cloud-based services, intelligence-sharing Five Eyes nations warn. In a report released Monday, the partners – including the United States, United Kingdom, Canada, Australia and New Zealand – said APT29 was expanding its targeting to include aviation, education, law enforcement, local and state councils, government financial services and military organizations. . And it attacks the cloud services that these organizations have. “As organizations continue to modernize their systems and migrate to cloud-based infrastructure, SVR has adapted to these changes in the operating environment,” the report explains. Until recently, this group focused primarily on government, think tank, health care, and energy targets for intelligence. But he is perhaps best known for compromising the software update mechanism of SolarWinds' Orion network management suite in 2019 to spread malware. APT29 is a cyberespionage group, “almost certainly part of the SVR, an element of Russian intelligence services,” the report said. In previous SVR campaigns, actors have successfully used brute forcing and password spraying to gain access to service accounts that run and manage applications and services, the report said. When attacking cloud services, SVR actors have been seen using system-issued tokens to access their victims' accounts, without the need for a password. SVR successfully bypasses password authentication on personal accounts through password spraying and credential reuse. SVR actors also circumvented MFA through a technique known as MFA bombardment or MFA fatigue, in which actors repeatedly send MFA requests to the victim's device until the victim accepts the request. notification, the report said. Once an actor has bypassed these systems to access the cloud environment, SVR actors have been observed registering their own devices as new devices on the cloud tenant. If device validation rules are not defined, SVR actors can successfully register their own devices and access the network. Another SVR tactic is the use of residential proxies, which make traffic appear to be coming from IP addresses within Internet Service Provider (ISP) ranges used for residential broadband customers and hide the true source. This can make it more difficult to distinguish malicious logins from typical users, the report said. According to the report, a solid foundation of cybersecurity fundamentals can help defend against such actors. For organizations that have migrated to cloud infrastructure, the first line of defense against an actor like SVR should be to reduce the risk of initial network compromise. More details are available in the report itself.

