Five Eyes issue warning on APT29’s cloud-based attacks

The Five Eyes intelligence alliance, comprising security agencies from the UK, US, Canada, Australia, and New Zealand, has raised the alarm over a new modus operandi employed by APT29, also known as Cozy Bear, a hacker group linked to the Russian Foreign Intelligence Service (SVR). Per the report, APT29 has now pivoted its tactics towards targeting victims’ cloud services.

In a joint advisory, the Five Eyes agencies caution that APT29 is adapting to modern IT environments, particularly the widespread adoption of cloud-based infrastructure. Instead of exploiting software vulnerabilities in on-premises networks, APT29 now aims its attacks directly at cloud services themselves.

The advisory warns that APT29 gains access to cloud environments using compromised service account credentials obtained through brute-force or password-spraying attacks. Once inside, they employ sophisticated tools like MagicWeb malware to masquerade as legitimate users, hampering detection efforts.

To counter these evolving threats, network defenders are urged to implement robust security measures. These include enabling multi-factor authentication (MFA) and enforcing strong passwords, adhering to the principle of least privilege, and promptly removing unused or dormant accounts. Additionally, vigilance against indicators of compromise and monitoring for suspicious activity are crucial steps in thwarting APT29’s advances.

By adopting these recommendations, organisations can bolster their defences against APT29’s cloud-based incursions and mitigate the risk of future breaches.

Historically, APT29 has targeted UK federal agencies, NATO nations, and European governments through various cyber campaigns, including phishing attacks. Recent disclosures by Microsoft attributed the Exchange Online breach to the SVR, highlighting the continued risk posed by well-resourced nation state threat actors.