Cybersecurity Authorities Warn of APT29's Shift Towards Cloud Infrastructure Attacks

Advisories by the Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC), have warned of activity from Russian state-sponsor group, APT29 (aka. BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard, The Dukes), targeting cloud environments. Specific organizations identified to have been targeted include a wider range of sectors including aviation, education, financial, government, law enforcement, and military organizations. The advisories detail the group's evolution in their techniques, tactics, and procedures (TTPs) exploiting cloud-based infrastructure to gain initial access, emphasizing the strategic shift to cloud services as a primary target over traditional on-premises systems.

Intelligence from the government agencies identified APT29's methodologies for gaining this initial access include exploiting service and dormant accounts through brute-forcing or password spraying, leveraging cloud-based token authentication without needing a password, enrolling new devices to bypass multi-factor authentication (MFA), and utilizing residential proxies to obscure their cyber operations. These tactics reveal a concerted effort to navigate around modern cybersecurity measures effectively. For instance, the use of service accounts, which often lack human oversight and multi-factor authentication, provides a lucrative entry point for the actors. Similarly, their manipulation of cloud-based token authentication and the strategic enrollment of new devices highlight a deep understanding of cloud architecture vulnerabilities.

The advisories discuss how APT29 has responded to enhanced network-level defenses by employing residential proxies, making their malicious traffic appear as if it originates from legitimate residential IP addresses. This TTP complicates the task of distinguishing between malevolent and benign connections, challenging traditional IP-based defense mechanisms. Organizations are recommended to adhere to mitigations, including securing service accounts and implementing stringent device enrollment policies, organizations to better protect against the initial access vectors exploited by APT29.

The significance of implementing complex passwords is evident by Microsoft's disclosure of an attack by APT29 in November 2023, where password spraying served as the initial method of breach.