Share this article on:
Hackers with Russia’s Foreign Intelligence Service are following their targets into the cloud, according to a raft of international cyber agencies.
The United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) have released a joint advisory outlining Russian efforts to gain access to cloud environments belonging to both private and government organisations.
According to the cyber watchdogs, the hackers with the Russian Foreign Intelligence Service, or SVR, have adapted their techniques, tactics, and practices to move away from traditional access techniques – such as taking advantage of exploits in on-premises networks – to directly target cloud services.
Over the last 12 months, SVR hackers – also attributed as APT29, Cozy Bear, and Midnight Blizzard – have been observed using several techniques to gain initial access, particularly brute force and password spraying to gain access to high-privilege service accounts without a particular user associated with them. These accounts lack multifactor authentication and so are an easier target for hackers.
The SVR has also been known to exploit dormant accounts belonging to ex-employees and has even gotten around enforced password resets by using these inactive accounts.
Where the SVR does need to get around MFA, it uses MFA bombing to induce MFA fatigue in its victims. This means sending a large number of MFA requests to a user until they give in and accept the notification.
Once inside a cloud environment, SVR hackers can take advantage of incomplete device validation rules to register their own devices on the cloud.
Another tactic is to use residential proxies so that activity that would otherwise be flagged as malicious appears to come from addresses within an ISP’s IP range. According to CISA, this makes tracking IP addresses as an indicator of compromise particularly difficult.
“The SVR is a sophisticated actor capable of carrying out a global supply chain compromise such as the 2020 SolarWinds,” CISA said in its advisory, “however, the guidance in this advisory shows that a strong baseline of cyber security fundamentals can help defend from such actors”.
“For organisations that have moved to cloud infrastructure, a first line of defence against an actor such as SVR should be to protect against SVR’s TTPs for initial access.”
You can read the full advisory here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.