.jpg)
With the release of a newly published advisory, light has been shed on tactics employed by Russian state-linked cyber actors, particularly as numerous organisations transition towards cloud-based infrastructures.
Previously, the National Cyber Security Centre (NCSC) outlined Russia's Foreign Intelligence Service actors' (SVR) focus on governmental, think tank, healthcare, and energy sectors for intelligence purposes. However, recent observations indicate an expansion of SVR targets to encompass aviation, education, law enforcement, local and state councils, government financial departments, and military organisations.
Latest threats
In a recent collaborative advisory, the NCSC, along with agencies from the United States, Australia, Canada, and New Zealand, has outlined the adaptation of tactics by the threat group, APT29, aimed at intelligence gathering from organisations transitioning to cloud-based environments.
Many of the sectors targeted by the SVR, such as think tanks, healthcare, and education sectors, have transitioned to cloud-based infrastructure, limiting traditional avenues of access like exploiting software vulnerabilities.
Instead, SVR actors have recently been observed employing alternative methods over the past year. These include stealing system-issued access tokens to compromise victim accounts, enrolling new devices in the victim’s cloud environment via credential reuse from personal accounts, and targeting system accounts with password spraying and brute forcing. These techniques are facilitated by weak passwords and the absence of 2-step verification (2SV).
Once initial access is obtained, the actor can deploy highly sophisticated capabilities.
Adapting Tactics and Techniques (TTPs)
As more and more organisations begin to transition towards cloud-based infrastructure, the SVR has adjusted its strategies accordingly to navigate this evolving landscape.
Their approach extends beyond traditional methods of initial access, such as exploiting software vulnerabilities within on-premise networks, now targeting the cloud services directly.
For SVR actors to infiltrate victims' cloud-hosted networks, successful authentication to the cloud provider is crucial. Preventing initial access to the cloud environment can hinder SVR's ability to compromise their intended targets. In contrast, on-premise systems typically expose more of the network to threat actors.
Authentication via Cloud-Based Tokens
Account access is commonly authenticated using either username and password credentials or system-issued access tokens. The NCSC and its partners have noted instances of SVR actors utilising tokens to gain access to victims’ accounts without requiring a password (T1528).
The default validity period of system-issued tokens varies depending on the system. However, cloud platforms typically enable administrators to adjust the validity period according to the needs of their users. Further details on this can be found in the mitigation section of this advisory.
In addition to updated threat information, the advisory offers mitigation advice to counter the evolving tactics of APT29. The NCSC assesses that APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear, is a cyber espionage group likely operating as part of Russia’s Foreign Intelligence Service.
Previous works
Previously, the NCSC outlined the targeting tactics of SVR actors, focusing on governmental, think tank, healthcare, and energy sectors to gain intelligence. More recently, they've expanded their targets to include aviation, education, law enforcement, local and state councils, government financial departments, and military organisations.
SVR cyber actors gained notoriety for the supply chain compromise of SolarWinds software in 2020 and for targeting organisations involved in COVID-19 vaccine development during the same year.
As organisations transition to cloud infrastructure, a primary defence against adversaries like SVR involves safeguarding against SVR's Tactics, Techniques, and Procedures (TTPs) for initial access. By implementing the mitigation strategies detailed in this advisory, organisations can bolster their defences and better shield themselves from this threat.
To Sum Up
The expose on changes in Russian cyber operations underscores the gravity of the threat posed by state-linked cyber actors like the SVR and APT29. With a widening scope of targets and adaptation to exploit vulnerabilities in cloud-based infrastructure, this development highlights the evolving sophistication of cyber threats and those behind them.
Collaboration between the UK, its allies, and global cyber security partnerships such as Five Eyes also emphasises the collective effort required to confront and mitigate these threats and continuously evolving tactics effectively. Ensuring robust cyber security measures on cloud-based structures is evermore paramount to safeguarding sensitive data and critical infrastructure in today's digital landscape.
