One of Russia’s elite cyberespionage threat groups, APT29, has modified its hacking methods as the governments and corporations it spies on move more of their infrastructure into the cloud.
APT29, also known as Cozy Bear, Midnight Blizzard and Nobelium, has been identified by Western intelligence agencies as a unit of the Russian Foreign Intelligence Service (SVR).
A new advisory from the UK’s National Cyber Security Centre (NCSC) warns the gang has evolved its tactics, techniques, and procedures (TTPs) to gain access more effectively to its victims’ cloud services.
Two of the more infamous attacks attributed to APT29 were the 2016 Democratic National Committee hack and the 2020 supply chain compromise of SolarWinds software. More recently, it was held responsible for hacking the email accounts of Microsoft staff, including members of the company’s senior leadership team, and stealing SharePoint and email files from Hewlett Packard Enterprise.
The dangers of service accounts
The NCSC advisory said APT29 was skilled at using brute forcing and password spraying attacks to access service accounts — accounts not tied to a specific individual that were typically used to run and manage applications and services. Because they were often accessed by more than one person within an organization, service accounts were harder to protect with multi-factor authentication (MFA).
“Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing,” the advisory said.
“Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations.”
The NCSC said APT29 also targeted dormant accounts that remained on the system after users left an organization.
“Following an enforced password reset for all users during an incident, SVR actors have also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities.”
The gang was also observed using a technique known as “MFA bombing” or MFA fatigue to repeatedly push MFA requests to a victim’s device until the victim accepts the notification.
Initial access leaves victims exposed
“Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant," the advisory said.
“If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network.”
After gaining initial access, the gang was able to deploy “highly sophisticated post compromise capabilities” such as MagicWeb, a tool APT29 was observed deploying in 2022 that enabled members to maintain persistence within compromised systems and carry out espionage activities.
Patrick Tiquet, Keeper Security’s vice president of security and architecture, said APT29’s targeting of cloud services was emblematic of the evolving nature of cyber threats and the adaptability of malicious actors.
“Cloud environments present attractive targets due to the concentration of sensitive data and critical services,” he said.
Mitigating the risks of service accounts
Tiquet said the type of generic service accounts APT29 targeted in its cloud-based attacks were often created by organizations for the sake of convenience and streamlined management, especially for automated processes within their cloud environments.
“However, the use of such generic accounts can introduce security vulnerabilities, and if compromised, can grant attackers broad access to critical resources. Additionally, they provide no visibility into who has logged in to the shared account.”
He said organizations should keep an accurate inventory of all service accounts so that they could be regularly audited, and removed or disabled when no longer required.
In its advisory, the NCSC recommended organizations create “canary” service accounts that appeared valid but were never used for legitimate services.
“Monitoring and alerting on the use of these accounts provides a high confidence signal that they are being used illegitimately and should be investigated urgently,” the agency said.
The NCSC advisory was issued jointly with the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and international partner cybersecurity agencies in Canada, Australia and New Zealand.