Russian threat actor expanding its target list, warns Five Eyes report

Share post:

The Russian threat group known to researchers by several names, including APT29,  Midnight Blizzard, the Dukes, or Cozy Bear, is broadening its targets to cloud-based services, warn the Five Eyes nations that share intelligence.

In a report issued Monday, the partners — including the U.S., the U.K., Canada, Australia and New Zealand — said APT29 is expanding its targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations. And it’s going after the cloud services these organizations have.

“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment,” the report explains.

Until recently, this group focused mainly on governmental, think tank, healthcare, and energy targets for intelligence gain.

But arguably it’s best known for compromising the software update mechanism of SolarWinds’ Orion network management suite in 2019 to spread malware.

APT29 is a cyber espionage group, “almost certainly part of the SVR, an element of the Russian intelligence services,” the report says.

In previous SVR campaigns, the actors successfully used brute forcing and password spraying to access service accounts that run and manage applications and services, the report says.

In attacking cloud services, SVR actors have been seen using system-issued tokens to access their victims’ accounts, without needing a password.

The SVR successfully bypasses password authentication on personal accounts using password spraying and credential reuse. SVR actors have also then bypassed MFA through a technique known as “MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification, the report says.

Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own devices as new devices on the cloud tenant. If device validation rules are not set up, SVR actors can successfully register their own devices and gain access to the network.

Another SVR tactic is the use of residential proxies, which make traffic appear to originate from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and hide the true source. This can make it harder to distinguish malicious connections from typical users, the report says.

A strong baseline of cyber security fundamentals can help defend from such actors, the report says. For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to lower the odds of an initial network compromise.

More details are available in the report itself.

The post Russian threat actor expanding its target list, warns Five Eyes report first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways