TLDR:
Key Points:
- Cyber espionage group APT29, linked to Russia’s Foreign Intelligence Service, is adapting its tactics to target cloud environments.
- SVR hackers are using techniques like “MFA bombing” to gain access to organizations’ cloud services.
Russian state hackers affiliated with APT29 are targeting organizations shifting to cloud-based environments, according to an advisory from the UK National Cyber Security Centre (NCSC). The hackers are focusing on weaknesses in cloud services to gain access to victim organizations. APT29, also known as Cozy Bear or Midnight Blizzard, has been using techniques like password spraying and brute-force attacks to target dormant cloud accounts. The group is exploiting weaknesses in multi-factor authentication (MFA) protocols through “MFA bombing,” where authentication requests are bombarded until the victim accepts unintentionally.
The NCSC advisory emphasizes the importance of implementing MFA, using strong passwords, reducing session lifetimes, and following the principle of least privilege for system and service accounts. The advisory also recommends setting up canary service accounts and implementing zero-touch enrollment policies to enhance network security.
The challenges of securing cloud networks are further compounded by the use of generative artificial intelligence by attackers to craft sophisticated phishing attacks. Businesses are reminded that cloud security is a shared responsibility, with the customer responsible for configuring resources, identity and access management, and application-level security. The advisory stresses collaboration among cybersecurity agencies and organizations to respond to evolving threats effectively.