Western cybersecurity officials caution that the Russian cyber espionage group responsible for the 2020 SolarWinds breach is evolving its methods to infiltrate organizations that have migrated to cloud-based infrastructures. The joint alert released by international partners from the Five Eyes alliance highlights recent strategies utilized by the threat actor tracked as APT29, Midnight Blizzard, the Dukes, or Cozy Bear.

The UK's National Cyber Security Centre (NCSC) and its international counterparts believe APT29 is linked to Russia’s Foreign Intelligence Service (SVR).

The migration to cloud hosting has presented challenges to hackers by reducing the attack surface, making it harder to exploit software vulnerabilities that might go unpatched in organizations with limited security resources. However, APT29 has devised methods to bypass these obstacles.

To breach cloud-hosted networks, attackers must first authenticate successfully with the cloud provider. Preventing initial access to the cloud environment can thwart threat actor’s attempts to compromise their targets. In contrast, on-premises systems typically expose more of the network to threat actors.

In the past year, APT29 has been observed pilfering system-issued access tokens to infiltrate victim accounts. These tokens can be obtained by compromising personal, unmanaged devices that have access to corporate resources. The threat actor has repeatedly bypassed password authentication on personal accounts using techniques like password spraying and credential reuse.

Moreover, they have circumvented Multi-Factor Authentication (MFA) through methods such as “MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification. Once access to the cloud environment is gained, the attacker has been seen registering their own devices on the cloud tenant. If device validation rules are absent, the threat actor can successfully register their own device and infiltrate the network.