26 February 2024

Five Eyes partners detail new tactics of Russian military hackers APT29


Five Eyes partners detail new tactics of Russian military hackers APT29

Western cybersecurity officials caution that the Russian cyber espionage group responsible for the 2020 SolarWinds breach is evolving its methods to infiltrate organizations that have migrated to cloud-based infrastructures. The joint alert released by international partners from the Five Eyes alliance highlights recent strategies utilized by the threat actor tracked as APT29, Midnight Blizzard, the Dukes, or Cozy Bear.

The UK's National Cyber Security Centre (NCSC) and its international counterparts believe APT29 is linked to Russia’s Foreign Intelligence Service (SVR).

The migration to cloud hosting has presented challenges to hackers by reducing the attack surface, making it harder to exploit software vulnerabilities that might go unpatched in organizations with limited security resources. However, APT29 has devised methods to bypass these obstacles.

To breach cloud-hosted networks, attackers must first authenticate successfully with the cloud provider. Preventing initial access to the cloud environment can thwart threat actor’s attempts to compromise their targets. In contrast, on-premises systems typically expose more of the network to threat actors.

In the past year, APT29 has been observed pilfering system-issued access tokens to infiltrate victim accounts. These tokens can be obtained by compromising personal, unmanaged devices that have access to corporate resources. The threat actor has repeatedly bypassed password authentication on personal accounts using techniques like password spraying and credential reuse.

Moreover, they have circumvented Multi-Factor Authentication (MFA) through methods such as “MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification. Once access to the cloud environment is gained, the attacker has been seen registering their own devices on the cloud tenant. If device validation rules are absent, the threat actor can successfully register their own device and infiltrate the network.


Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024