Russian cyber espionage gang adapts to target cloud systems


One of the most notorious and highly capable cyber espionage gangs, attributed to Russian intelligence services, has now evolved its tactics beyond traditional means to target cloud infrastructure, CISA, and other cyber defense, agencies warn.

On multiple occasions in the past 12 months, Russian Foreign Intelligence Service (SVR) cyber actors have successfully bypassed password authentication on personal accounts using password spraying (trying commonly used passwords) and credential reuse.

Once the SVR cyber actors gain initial access, they can deploy highly sophisticated post-compromise capabilities. According to the joint advisory of five cybersecurity agencies from the US, the UK, Australia, Canada, and New Zealand, SVR can register its own devices and steal tokens to move around the network.

ADVERTISEMENT

The adversary, tracked as APT29, is also known by Dukes, CozyBear, Dark Halo, UNC2452, and NOBELIUM/Midnight Blizzard.

This group is said to be responsible for the massive SolarWinds attack in 2020. Cybernews also reported on the gang targeting NATO and EU diplomats, involvement in attacks using Microsoft Teams, and exploiting other Microsoft vulnerabilities.

SVR cyber actors have targeted governmental, think tank, healthcare, and energy targets for intelligence gain. The US cyber defense agency CISA has now observed SVR expanding its targets to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.

What do we know about SVR’s new tactics?

The SVR threat actor has evolved its tactics, techniques, and procedures to adapt to the trend of organizations moving their systems and infrastructure to the cloud.

“To access the majority of the victims’ cloud hosted network, actors must first successfully authenticate to the cloud provider,” CISA said.

SVR was observed targeting dormant accounts that belong to users who no longer work at a victim organization and were never removed.

Previous SVR campaigns were successful at using brute forcing and password spraying to access service accounts, which are typically used to manage applications and services.

ADVERTISEMENT

“There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise. Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations,” CISA’s advisory reads.

Even after a systemwide password reset, APT29 hackers followed instructions and logged into the accounts again to regain access.

Another method to get access is by exploiting credentials or system-issued access tokens. SVR actors used tokens to access its victims’ accounts without ever needing a password.

“SVR actors have also then bypassed MFA through a technique known as “MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification,” CISA said.

Once in, the SVR actors try to register their own device as a new device on the cloud tenant and gain access to the network. For command and control, the SVR uses open proxies in residential IP ranges to blend in with expected IP address pools in access logs.

“The actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb, as reported in 2022. Therefore, mitigating against the SVR’s initial access vectors is particularly important for network defenders.”

Defenders should focus on initial access

Cybersecurity teams must maintain a strong baseline of cybersecurity fundamentals to defend against a sophisticated actor capable of carrying out a global supply chain compromise.

According to CISA, the first line of defense is protecting initial access points.

“Denying initial access to the cloud environment can prohibit SVR from successfully compromising its target. In contrast, in an on-premises system, more of the network is typically exposed to threat actors,” CISA said.

ADVERTISEMENT

Mitigation and detection advisory includes using multi-factor authentication, strong and unique passwords, disabling inactive/dormant accounts, and others.

“The default validity time of system-issued tokens varies, dependent on the system. However, cloud platforms should allow administrators to adjust the validity time as appropriate for their users,” CISA noted.

Configuring the network with device enrollment policies may also help to defend against SVR actors and deny them access to the cloud tenant.