A recent joint statement released by the US Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with the UK National Cyber Security Center (NCSC) and other national and international partners sheds light on the evolving tactics of the hacking group APT29—also known as Midnight Blizzard, Cozy Bear, Dukes, or Nobelium—is believed to be sponsored by the Russian government and acts as the hacking division of the Kremlin’s Foreign Intelligence Service (SVR).
The statement, published this Monday, 26, describes the group’s recent strategies for infiltrating cloud environments, a change observed as organizations increasingly transition to cloud-based infrastructures.
Traditionally, APT29 operators have relied on exploiting vulnerabilities in local networks. However, they have adapted to directly target cloud services. This shift requires a different approach to defense, as cloud environments require successful authentication for access, which poses challenges for threat actors.
Previous activities attributed to the APT29 hackers include compromising the SolarWinds supply chain and targeting organizations involved in Covid-19 vaccine development.
CISA’s latest statement also highlights how SVR tactics have expanded to target a wider range of sectors, including aviation, education, law enforcement and government financial departments.
Recent observations from security researchers indicate that APT21 operators use techniques such as brute force, password spraying, and exploiting inactive accounts to gain initial access. Additionally, they leverage cloud-based token authentication and residential proxies to maintain covert operations and avoid detection.
Organizations are urged to implement robust cybersecurity measures, including multi-factor authentication (MFA), regular password resets, and least privilege access policies. Detecting and mitigating APT29 tactics requires a comprehensive approach, combining multiple sources of information and indicators of compromise.
The statement also highlighted the importance of a robust cybersecurity foundation in defending against sophisticated threats like APT29.
“APT29 is a sophisticated operator capable of making a global supply chain commitment like 2020 SolarWinds. However, the guidance in this advisory shows that a solid foundation of cybersecurity fundamentals can help defend against such actors,” CISA warned.
“For organizations moving to cloud infrastructure, the first line of defense against APT29 should be protection against group tactics, techniques, and procedures (TTPs) for initial access. By following the mitigations outlined in this advisory, organizations will be in a stronger position to defend themselves against this threat.”
Source: CisoAdvisor, CisaGOV
