26 February 2024

Five Eyes partners detail new tactics of Russian military hackers APT29


Five Eyes partners detail new tactics of Russian military hackers APT29

Western cybersecurity officials caution that the Russian cyber espionage group responsible for the 2020 SolarWinds breach is evolving its methods to infiltrate organizations that have migrated to cloud-based infrastructures. The joint alert released by international partners from the Five Eyes alliance highlights recent strategies utilized by the threat actor tracked as APT29, Midnight Blizzard, the Dukes, or Cozy Bear.

The UK's National Cyber Security Centre (NCSC) and its international counterparts believe APT29 is linked to Russia’s Foreign Intelligence Service (SVR).

The migration to cloud hosting has presented challenges to hackers by reducing the attack surface, making it harder to exploit software vulnerabilities that might go unpatched in organizations with limited security resources. However, APT29 has devised methods to bypass these obstacles.

To breach cloud-hosted networks, attackers must first authenticate successfully with the cloud provider. Preventing initial access to the cloud environment can thwart threat actor’s attempts to compromise their targets. In contrast, on-premises systems typically expose more of the network to threat actors.

In the past year, APT29 has been observed pilfering system-issued access tokens to infiltrate victim accounts. These tokens can be obtained by compromising personal, unmanaged devices that have access to corporate resources. The threat actor has repeatedly bypassed password authentication on personal accounts using techniques like password spraying and credential reuse.

Moreover, they have circumvented Multi-Factor Authentication (MFA) through methods such as “MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification. Once access to the cloud environment is gained, the attacker has been seen registering their own devices on the cloud tenant. If device validation rules are absent, the threat actor can successfully register their own device and infiltrate the network.


Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024