Russian cyber actors target cloud-hosted infrastructure, NSA warns
On February 26, the National Security Agency (NSA) joined the UK National Cyber Security Centre (NCSC-UK) and other partners in releasing the Cybersecurity Advisory (CSA), “SVR Cyber Actors Adapt Tactics for Initial Cloud Access.” The CSA outlines how Russia-based cyber actors are adapting their tactics, techniques, and procedures (TTPs) to infiltrate and access intelligence hosted in cloud environments as a growing number of targets store data in the cloud.
The cyber actors – commonly known as APT29, Midnight Blizzard, the Dukes, or Cozy Bear, and almost certainly associated with the Russian foreign intelligence service (SVR) – primarily gain access to cloud-based systems by logging into automated system accounts and inactive accounts via TTPs such as password spraying and brute forcing. These types of accounts often do not use multifactor authentication and have weak passwords, making them susceptible to the SVR actors’ techniques. According to the CSA, once inside a target’s cloud environment, the actors have successfully used system issued tokens or registered their own devices to maintain a presence in the system. The CSA also highlights a new TTP associated with these actors as the use of residential proxies to obscure their access and make suspicious activity harder to identify.
This CSA also provides indicators of compromise and recommends enforcing good cybersecurity fundamentals, including system account management, short token validity time periods, conditional access policies, device enrollment, strong password enforcement, multifactor authentication, and system updates.
“We often say, ‘cybersecurity is national security,’ and the Cybersecurity Advisory we are publishing today shows why,” said Rob Joyce, NSA’s director of Cybersecurity. “We, along with our valued partners in the U.K., have seen the potential for Russian state actors to infiltrate cloud environments and we’re responding accordingly. As the world modernizes their systems, we need to do all we can to reduce the attack surface for cyber actors to penetrate.”
The NCSC-UK has previously detailed how the SVR actors target the governmental, think tank, healthcare, and energy sectors. The CSA describes that SVR actors’ targeting has expanded to include aviation, education, law enforcement, local and state governments, government financial departments, and military organizations.
The cyber actors are also known for involvement in the supply chain compromise of SolarWinds software, targeting of COVID-19 vaccine development in 2016, and the breach of Democratic National Committee communications in 2015.
Source: NSA
Stay in the know with breaking news from across the IC and IC contracting landscape by becoming a paid subscriber to IC News. Your support makes our work possible.