AdvisoryAdvisoriesCISAAA24-057A

February 26, 2024

SVR Cyber Actors Adapt Tactics for Initial Cloud Access

February 26, 2024

What we know so far

The advisory details the activities of APT29, a cyber espionage group attributed to the SVR, targeting various sectors by adapting their tactics, techniques, and procedures (TTPs) to the increased use of cloud infrastructure by government and corporations. This group, known by several names including Midnight Blizzard and Cozy Bear, has expanded its targeting to sectors such as aviation, education, and military, among others. Notable past activities include the SolarWinds software supply chain compromise and targeting COVID-19 vaccine developers. Recently, APT29 has been adapting to cloud environments by employing methods like brute forcing and password spraying to gain initial access, particularly targeting service and dormant accounts. Additionally, they've utilized cloud-based token authentication and device enrollment techniques to maintain access and persistence within compromised networks. The use of residential proxies has also been observed, aiming to covertly maintain their presence on the internet and evade detection.

Arrow Right

Schedule a test

Subscribe to advisory alerts

Be immediately notified of new advisories and associated security tests

More advisories