Russian Hackers Shift Tactics to Target Cloud Users, Security Agencies Warn

A recent security advisory issued by the UK National Cyber Security Centre (NCSC) and international partners sounds the alarm about evolving techniques used by Russian state-backed hackers.expand_more The advisory highlights how the cyberespionage group APT29, also known as Cozy Bear or the Dukes, is adapting its approach to target organizations increasingly reliant on cloud-based infrastructure.expand_more

Previously focused on infiltrating government agencies, think tanks, healthcare providers, and energy firms, APT29 is now expanding its reach.expand_more The group is setting its sights on a wider range of victims, including those in aviation, education, law enforcement, local governments, financial departments, and even military organizations.expand_more

The advisory urges organizations to fortify their cloud defenses by eliminating inactive accounts, enabling multi-factor authentication (MFA), and deploying “canary accounts” to detect suspicious activity.expand_more

APT29’s New Playbook

Believed to be responsible for the devastating SolarWinds supply chain attack of 2020, APT29 is notorious for its cyberespionage activities.expand_more The group has also been linked to a recent password spraying campaign that compromised a small number of Microsoft corporate email accounts.expand_more

Security experts have observed a shift in APT29’s tactics over the past year, suggesting a specific focus on exploiting vulnerabilities in cloud services used by target organizations.expand_more This marks a departure from their traditional methods that centered on compromising on-premises IT infrastructure.

Their current strategy involves leveraging brute-force attacks and password spraying techniques.expand_more These attacks target inactive accounts or service accounts used to manage applications within a network.

The advisory emphasizes the vulnerability of service accounts due to their lack of individual user profiles and consequently, their incompatibility with MFA. Gaining access to these accounts grants attackers a privileged foothold within the network, enabling them to launch further intrusions.

MFA Fatigue and Other Sneaky Tricks

APT29 is also bypassing MFA protocols through a tactic known as “MFA bombing.”expand_more This involves overwhelming a victim’s device with a relentless stream of authentication requests, aiming to exhaust the user into accidentally or impatiently approving a request.expand_more

Once MFA is bypassed, attackers can register their own devices on the compromised network, granting them deeper access to the victim’s systems. The advisory also details the use of stolen authentication tokens by APT29, allowing them to access accounts without needing a password.expand_more

Cloud Security: A Shared Responsibility

Toby Lewis, a threat analysis leader at cybersecurity firm Darktrace, emphasizes the inherent challenges of securing cloud environments. The migration of data and workloads to the cloud has created new attack surfaces that malicious actors are eager to exploit.expand_more

Lewis highlights the vast amount of sensitive data stored in cloud environments, making them prime targets for cybercriminals and nation-state attackers alike. The distributed nature of cloud infrastructure, along with rapid resource provisioning and misconfigurations, further complicates security efforts.expand_more

The advisory warns of the effectiveness of residential proxies and inactive accounts as tools for APT29. Dormant accounts left behind by former employees can be exploited to bypass password resets enforced after a security breach.expand_more Attackers can simply access these inactive accounts and initiate password reset procedures.

Residential proxies are another weapon in APT29’s arsenal.exclamation By masking their location and mimicking local IP addresses, they can evade detection by security measures that rely on IP addresses to identify suspicious activity.

Beyond the Basics: Collaborative Defense

While not explicitly mentioned in the advisory, Lewis suggests that advancements in generative AI pose additional challenges for cloud security.expand_more Attackers can leverage this technology to craft more sophisticated phishing attacks and social engineering tactics.

A common misconception, according to Lewis, is that cloud security is solely the responsibility of cloud service providers. The advisory emphasizes a shared responsibility model, where both the provider and the customer play a role in securing the environment.

Cloud service providers secure the underlying infrastructure, but proper configuration of resources, identity and access management, and application security remains the customer’s responsibility.expand_more

The Path Forward: Invest in Skills and Processes

The NCSC advisory underscores the importance of fundamental cybersecurity practices, including:

• Implementing MFA
• Enforcing strong and unique passwordsexpand_more
• Reducing session durations for tokens and user logins
• menerapkan (Indonesian for “implementing”) a principle of least privilege for accounts, granting only the minimal access requiredexclamation

These measures can significantly reduce the potential damage from compromised accounts and limit the attackers’ access level. The advisory highlights that strong cybersecurity fundamentals can thwart even sophisticated threats like APT29.expand_more

Furthermore, the advisory recommends deploying canary accounts to serve as decoys that attract and expose suspicious activity. Additionally, organizations should prioritize zero-touch enrollment policies to restrict unauthorized device access and leverage a variety of data sources, such as application events and logs, to identify and investigate potential malicious behavior.

Lewis emphasizes the importance of collaboration among cybersecurity agencies and businesses to effectively respond to this evolving threat landscape. Sharing intelligence on emerging tactics allows organizations worldwide to bolster their defenses