A recent joint advisory released by CISA in collaboration with the UK National Cyber Security Centre (NCSC) and other domestic and international partners sheds light on the evolving tactics of Russian Foreign Intelligence Service (SVR) cyber actors.
Referred to by various aliases such as APT29, Midnight Blizzard, the Dukes or Cozy Bear, this group has been identified by the US as a cyber-espionage entity, likely operating under the umbrella of the SVR, a branch of Russian intelligence.
The advisory, published earlier today, outlines the group’s recent strategies to infiltrate cloud environments, a shift observed as organizations increasingly transition to cloud-based infrastructure.
Traditionally, SVR actors relied on exploiting vulnerabilities in on-premises networks; however, they have adapted to target cloud services directly. This shift necessitates a different approach to defense, as cloud environments require successful authentication for access, posing challenges to threat actors.
Previous activities attributed to SVR actors include the SolarWinds supply chain compromise and the targeting of organizations involved in COVID-19 vaccine development.
The latest CISA advisory also highlights how SVR’s tactics have expanded to target a wider array of sectors, including aviation, education, law enforcement and government financial departments.
Recent observations indicate SVR actors utilize techniques such as brute-forcing, password spraying and exploiting dormant accounts to gain initial access. Additionally, they leverage cloud-based token authentication and residential proxies to maintain covert operations and evade detection.
Organizations are urged to implement robust cybersecurity measures, including multi-factor authentication (MFA), regular password resets and least-privilege access policies. Detecting and mitigating SVR’s tactics requires a comprehensive approach, combining various information sources and indicators of compromise.
The advisory also underscored the importance of a robust cybersecurity baseline in defending against sophisticated threats like SVR.
“The SVR is a sophisticated actor capable of carrying out a global supply chain compromise such as the 2020 SolarWinds. However, the guidance in this advisory shows that a strong baseline of cyber security fundamentals can help defend from such actors,” CISA warned.
“For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to protect against SVR’s TTPs for initial access. By following the mitigations outlined in this advisory, organizations will be in a stronger position to defend against this threat.”