The Russian intelligence hacking group, known as APT29 or Cozy Bear, is adjusting its tactics in response to the corporate shift toward cloud infrastructure. International cyber agencies have issued an alert regarding this development.
Background
Also referred to as Midnight Blizzard and the Dukes, this threat actor operates under the umbrella of the Russian Foreign Intelligence Service. In 2021, the Biden administration publicly attributed APT29 to the backdooring of IT infrastructure software developed by SolarWinds.
Hacking Techniques
- Brute-Forcing Passwords: APT29 employs brute-force attacks on dormant accounts and service accounts used for automated API calls.
- Targeting Service Accounts: Service accounts, lacking multifactor authentication, are attractive targets for the group.
Security Concerns
As enterprises increasingly rely on remote infrastructure to drive their core business, security dynamics have shifted. While this change may alleviate some concerns, it also introduces a new generation of security threats. Worldwide spending on public cloud providers, including AWS and Google, is projected to reach $679 billion this year, according to consultancy firm Gartner. Within the next five years, most organizations are expected to view cloud platforms as a “business necessity” rather than merely an “innovation facilitator” or a “business disruptor.”
Intelligence agencies have raised alarms about the intensification of worldwide cyber espionage activities by APT29, in the backdrop of Moscow’s continued aggression towards Ukraine. In November, cyber guardians from Kyiv pointed fingers at APT29 for masterminding assaults on numerous country’s embassies.
APT29’s Intrusion into Microsoft
In a revelation made by Microsoft in January, it was found that APT29 had pilfered emails and documents from the accounts of high-ranking officials and staff members within its cybersecurity and legal divisions.
APT29’s Tactics
APT29 employs several strategies to infiltrate systems:
- Token Theft: They pilfer cloud-based authentication tokens, enabling them to gain access to accounts without needing a password.
- MFA Bombing: This technique involves the persistent pushing of logon validation requests to the victim’s devices until they inadvertently or out of frustration authorize the logon, thereby bypassing multifactor authentication.
Persistence and Camouflage
Upon gaining entry, APT29 may establish persistence by adding its own devices to the network. To further conceal its activities, it routes internet traffic through residential proxies. This provides the attackers with an exit point from residential networks and IP addresses, which are less likely to arouse the suspicion of system administrators.