Five Eyes Agencies Expose APT29’s Evolving Cloud Attack Tactics

2 months ago AndyC

Feb 27, 2024NewsroomCloud Security / Threat Intelligence

Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29.

Five Eyes Agencies Expose APT29's Evolving Cloud Attack Tactics

Feb 27, 2024NewsroomCloud Security / Threat Intelligence

Five Eyes Agencies Expose APT29's Evolving Cloud Attack Tactics

Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29.

The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Foreign Intelligence Service (SVR) of the Russian Federation.

Previously attributed to the supply chain compromise of SolarWinds software, the cyber espionage group attracted attention in recent months for targeting Microsoft, Hewlett Packard Enterprise (HPE), and other organizations with an aim to further their strategic objectives.

“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment,” according to the security bulletin.

Cybersecurity

These include –

  • Obtaining access to cloud infrastructure via service and dormant accounts by means of brute-force and password spraying attacks, pivoting away from exploiting software vulnerabilities in on-premise networks
  • Using tokens to access victims’ accounts without the need for a password
  • Leveraging password spraying and credential reuse techniques to seize control of personal accounts, use prompt bombing to bypass multi-factor authentication (MFA) requirements, and then registering their own device to gain access to the network
  • Making it harder to distinguish malicious connections from typical users by utilizing residential proxies to make the malicious traffic appear as if it’s originating from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and conceal their true origins

“For organizations that have moved to cloud infrastructure, the first line of defense against an actor such as SVR should be to protect against SVR’ TTPs for initial access,” the agencies said. “Once the SVR gains initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Microsoft Outlook Flaw Exploited by Russia's APT28 to Hack Czech, German Entities

Microsoft Outlook Flaw Exploited by Russia’s APT28 to Hack Czech, German Entities

1 day ago AndyC
Expert-Led Webinar - Uncovering Latest DDoS Tactics and Learn How to Fight Back

Expert-Led Webinar – Uncovering Latest DDoS Tactics and Learn How to Fight Back

2 days ago AndyC
Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

2 days ago AndyC
New Guide Explains How to Eliminate the Risk of Shadow SaaS and Protect Corporate Data

New Guide Explains How to Eliminate the Risk of Shadow SaaS and Protect Corporate Data

2 days ago AndyC
NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

NSA, FBI Alert on N. Korean Hackers Spoofing Emails from Trusted Sources

2 days ago AndyC
Google Announces Passkeys Adopted by Over 400 Million Accounts

Google Announces Passkeys Adopted by Over 400 Million Accounts

2 days ago AndyC

You may have missed

Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION

4 hours ago AndyC
GenAI Continues to Dominate CIO and CISO Conversations

GenAI Continues to Dominate CIO and CISO Conversations

4 hours ago AndyC

Pay up, or else? – Week in security with Tony Anscombe

19 hours ago AndyC
Blackbasta gang Synlab Italia attack

Blackbasta gang Synlab Italia attack

22 hours ago AndyC
Microsoft Outlook Flaw Exploited by Russia's APT28 to Hack Czech, German Entities

Microsoft Outlook Flaw Exploited by Russia’s APT28 to Hack Czech, German Entities

1 day ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.