AdvisoryAdvisoriesCISAAA24-057A

February 26, 2024

SVR Cyber Actors Adapt Tactics for Initial Cloud Access

February 26, 2024

What we know so far

The advisory details the activities of APT29, a cyber espionage group attributed to the SVR, targeting various sectors by adapting their tactics, techniques, and procedures (TTPs) to the increased use of cloud infrastructure by government and corporations. This group, known by several names including Midnight Blizzard and Cozy Bear, has expanded its targeting to sectors such as aviation, education, and military, among others. Notable past activities include the SolarWinds software supply chain compromise and targeting COVID-19 vaccine developers. Recently, APT29 has been adapting to cloud environments by employing methods like brute forcing and password spraying to gain initial access, particularly targeting service and dormant accounts. Additionally, they've utilized cloud-based token authentication and device enrollment techniques to maintain access and persistence within compromised networks. The use of residential proxies has also been observed, aiming to covertly maintain their presence on the internet and evade detection.

Arrow Right

Schedule a test

Our insights

Verified Security Tests

Protect your endpoints

Subscribe to alerts

Insights by Prelude

Cloud infrastructure has become a prime target for sophisticated cyber espionage groups like APT29, highlighting the evolving landscape of cyber threats. These actors adeptly exploit the inherent vulnerabilities and complexities of cloud environments, such as service and dormant accounts that are harder to protect with conventional security measures like multi-factor authentication (MFA). Their tactics, including brute forcing, password spraying, and the exploitation of cloud-based token authentication, underline the critical need for organizations to reinforce cloud security postures. This includes implementing stringent access controls, monitoring for unusual access patterns, and adopting robust incident response protocols. The shift towards cloud-centric operations necessitates a proactive approach to security, emphasizing the importance of continuous assessment and adaptation of security measures to counter such advanced threat actors. The use of residential proxies by these actors further complicates detection efforts, necessitating a multi-layered security strategy that goes beyond perimeter defenses and involves sophisticated detection and response mechanisms to identify and mitigate threats posed by highly stealthy and persistent adversaries.

See if you are protected against this advisory

Arrow Right

Schedule a test with Prelude

Subscribe to advisory alerts

Be immediately notified of new advisories and associated security tests

More advisories

AdvisoryAdvisoryCISAAA24-057A

February 26, 2024

SVR Cyber Actors Adapt Tactics for Initial Cloud Access

AdvisoryAdvisoryCISAAA24-046A

February 15, 2024

Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization

AdvisoryAdvisoryCISAAA24-038A

February 7, 2024

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

See all advisories

Arrow Right
Solutions
For Detection & Response TeamsFor CISOs
Platform
DetectCrowdStrike
Company
AboutVisionCareersBlogAdvisoriesResourcesCommunityPress
Book a Demo

©2024 Prelude Research, Inc. All rights reserved.
Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept

Cookies

Heading to RSA in May? Machine speed detection and response is waiting for you at our booth
See Prelude at RSA
Arrow Right