Cloud Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Russian Threat Actor APT29 Pivots to the Cloud for Espionage

Five Eyes Cyber Agencies Say Kremlin Hackers Are Following Victims to the Cloud
Russian Threat Actor APT29 Pivots to the Cloud for Espionage
Russian hackers are following their targets to the cloud. (Image: Shutterstock)

The Russian intelligence hacking group known as APT29 or Cozy Bear is responding to the corporate migration to the cloud with matching hacking techniques, says an alert from international cyber agencies.

See Also: Unified SASE: The Third Era of Network Security

Also known as Midnight Blizzard and the Dukes, the threat actor is a component of the Russian Foreign Intelligence Service, the Biden administration said in 2021 when it fingered the group for inserting a backdoor into IT infrastructure software developed by SolarWinds.

The group uses techniques such as brute-forcing the password of dormant accounts or service accounts used to make automated API calls. Service accounts are desirable targets because they typically lack multifactor authentication, says a Monday alert from the Five Eyes intelligence alliance, which consists of the United Kingdom, the United States, Canada, Australia and New Zealand.

Where once enterprises universally managed their own servers and software, organizations now are likely to rely on remote infrastructure to power their core business - a change that some say alleviates many security concerns. But as the warning points out, remote infrastructure is also the source of a next generation of security threats. Worldwide spending on public cloud providers such as AWS and Google will reach $679 billion this year, consultancy Gartner forecast in November. The consultancy also predicted that within the next five years, most organizations will use cloud platforms as a "business necessity" rather than as an "innovation facilitator" or a "business disruptor."

Threat intelligence firms have warned that APT29 has amplified its global cyberespionage operations as part of Moscow's ongoing war of conquest against Ukraine. Kyiv cyber defenders in November accused APT29 of orchestrating attacks against the embassies of a slew of countries. Microsoft in January disclosed that the threat actor had stolen email and documents from the email accounts of "senior leadership" and employees in its cybersecurity and legal departments (see: Microsoft: Russian Hackers Had Access to Executives' Emails).

APT29 also steals cloud-based authentication tokens to access accounts without providing a password. And it uses a technique called MFA bombing, in which attackers bypass multifactor authentication by repeatedly pushing logon validation requests to victims' devices until they authorize the logon out of carelessness or exasperation.

Once inside, APT29 may gain persistence by enrolling its own devices onto the network. It also camouflages its activities by running internet traffic through residential proxies, giving attackers an exit point from residential networks and internet protocol addresses that are less likely to raise the suspicions of system administrators.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.