On February 26, 2024, members of the Five Eyes intelligence alliance, consisting of Canada, the UK, the US, Australia and New Zealand, revealed that the hacking cyber wing of Russia’s Foreign Intelligence Service (SVR), known publicly as APT29, is increasingly focusing its efforts on targeting victims’ cloud services. APT 29 is traditionally known for its use of supply-chain attacks, such as the 2019 SolarWinds attack, and phishing as its primary attack vectors.
APT29 is gaining initial access to its targets' cloud environments by conducting brute force or password spraying attacks on service accounts. The alliance also observed the group leveraging dormant accounts used by former employees that are not affected by systemwide password resets, enabling persistence. Finally, APT29 was observed using stolen access tokens and taking advantage of misconfigurations to enroll its own devices in the victim’s cloud environment.
Once access is obtained, APT29 is using tools like MagicWeb malware which enables authentication as any user within the compromised network, making it difficult for network defenders to detect malicious activity.
Source: Bleeping Computer
Analysis
It makes sense that as organizations traditionally targeted by APT29 increasingly move to cloud-based infrastructure, the group has followed suit by updating its TTPs to ensure they are still effective in this modern operating environment. Fortunately, many of the attack vectors used by APT29 to target cloud accounts are straightforward, and relatively easy to defend against by enabling a few security controls.
As long as the SVR continues to be tasked by the Russian government with collecting foreign intelligence, it will continue to develop and deploy new tools to fulfill its mandate, especially in periods of conflict.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for changes in the tactics, techniques, and procedures (TTPs) associated with state-sponsored cyber actors such as APT29. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the risk posed by their activities. Covalence users are automatically notified via the Covalence Portal if suspicious and/or unauthorized cloud login attempts, like those mentioned above, are detected.
The most effective way to mitigate the risk posed by APT29’s latest threat activity is to prevent the group from getting initial access to cloud services in the first place. Organizations should:
- Enforce multi-factor authentication (MFA) and complex password requirements.
- Monitor for and/or block login attempts from countries from which employees aren’t expected to login, as well as from TOR, VPN, and high-risk IP addresses.
- Reduce the lifetime of session tokens so that if stolen, they are of limited use to the threat actor.
- Delete dormant or inactive user accounts.
- Allow only authorized devices to enroll in the cloud environment.
Related articles
