The UK National Cyber Security Center (NCSC) and Five Eyes Alliance have released an advisory on “evolving tactics” by Russian hackers to attack cloud-based organizations.
Under the investigation, cyber actors linked to the Russian Foreign Intelligence Service (SVR) were seen adapting their methods to catch up on the growing shift of users from physical infrastructures to virtual or cloud-based networks.
SVR-backed cyber actors gained notoriety in 2020 for disrupting the supply chain of an IT monitoring software provider and capabilities of organizations involved with the development of COVID-19 vaccines.
Updating Approach
The documentation, prepared by the British government in partnership with Canada, Australia, New Zealand, and the US, identified the APT29 cyber group linked to the activities.
NCSC and its counterparts wrote that sectors previously targeted, including academia, healthcare, and think tanks, have been gradually transitioning from “traditional means of access” into cloud-hosted environments.
In response, the group updated their approach over the past 12 months by stealing system-issued tokens and user accounts.
This process is followed by the enrolment of unauthorized devices under the target’s cloud environment as well as password changes and brute-forcing that are often successful due to the victim’s weak passwords and lack of additional verification steps.
Access gained through this operation permits actors to deploy other “highly sophisticated capabilities” to infiltrate the target further.
‘Raising Awareness’
NSCS’ update stated that cyberattacks from the SVR have already expanded from the mentioned sectors to additional organizations such as law enforcement, aviation, local and state councils, and federal agencies.
“We are resolute in our commitment to exposing malicious cyber activity, which includes raising awareness of changes in the behaviour of groups which persistently target the UK,” NCSC Operations Director Paul Chichester stated.
“The NCSC urges organisations to familiarise themselves with the intelligence and mitigation advice within the advisory to help defend their networks.”