UK and Allies Unveil Evolving Tactics of Russian Cyber Actors

The National Cyber Security Centre (NCSC) of the United Kingdom, alongside its partners in the Five Eyes intelligence alliance (US, Canada, Australia, and New Zealand), have revealed evolving tactics employed by Russian cyber actors linked to the Foreign Intelligence Service (SVR). This joint advisory highlights the growing threat posed by these actors, particularly as organizations increasingly rely on cloud-based infrastructure.

Shifting Tactics: Targeting the Cloud

Traditionally, cyber actors exploited software vulnerabilities to gain access to systems. However, with the widespread adoption of cloud services, this approach has become less effective. In response, Russian cyber actors have adapted their techniques, focusing on:

• Stealing system-issued access tokens: These tokens grant access to specific resources within the cloud environment. Once stolen, they can be used to impersonate legitimate users and gain unauthorized access.
• Enrolling new devices via compromised credentials: By reusing personal account credentials obtained through phishing attacks or other means, attackers can register unauthorized devices within the victim’s cloud environment.
• Targeting system accounts with password spraying and brute forcing: These techniques involve trying various password combinations to gain access to accounts. Weak passwords and the absence of two-factor authentication (2FA) make systems more susceptible to these attacks.

Mitigating the Threat

The joint advisory emphasizes the importance of implementing strong defense strategies to counter these evolving tactics. Here are some key recommendations:

• Implement multi-factor authentication (MFA/2FA): This adds an extra layer of security by requiring a second verification step, significantly reducing the risk of unauthorized access even if a password is compromised.
• Enforce strong password policies: Encourage users to create complex and unique passwords for each online account. Regularly update passwords and avoid reusing them across different platforms.
• Implement robust cloud security practices: Secure your cloud environment by following best practices for access control, identity management, and data encryption.
• Stay informed: Regularly update your systems and software with the latest security patches to address known vulnerabilities.
• Report suspicious activity: If you suspect unusual activity within your systems, promptly report it to the relevant authorities and IT security teams.

Understanding the Threat Actor

The advisory identifies the threat group responsible for these evolving tactics as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear. This group is suspected to be affiliated with the Russian Foreign Intelligence Service (SVR).

Previously, APT29 has targeted various sectors, including government agencies, think tanks, healthcare providers, and energy companies. Their recent activities indicate an expansion of their targets to encompass organizations in aviation, education, law enforcement, local governments, and even military institutions.

The NCSC Director of Operations, Paul Chichester, stressed the importance of raising awareness about these evolving tactics: “We remain committed to exposing malicious cyber activity, and this includes keeping the public informed about the changing behavior of groups targeting the UK.” He urged organizations to familiarize themselves with the advisory’s recommendations and implement appropriate mitigation strategies to safeguard their cloud environments.

By staying informed and implementing robust security measures, organizations can significantly reduce the risk of falling victim to these sophisticated cyber attacks.