Malicious cyber actors linked to Russia’s Foreign Intelligence Service (SVR) are adapting their techniques in response to the increasing shift to cloud-based infrastructure, UK and international security officials have revealed.

In a new joint advisory, the National Cyber Security Centre (NCSC), which is a part of GCHQ, and agencies in the United States, Australia, Canada, and New Zealand have detailed how the threat group, which is known as APT29, has adapted its techniques for intelligence gain to target organisations that have moved to cloud-hosted environments.

According to the agency:

“Many of the sectors targeted by the SVR, including think tanks, healthcare, and education, have moved to cloud-based infrastructure, which means that traditional means of access – such as through the exploitation of software vulnerabilities – are more limited.

Instead, SVR actors have over the past 12 months been observed stealing system-issued access tokens to compromise victim accounts, enrolling new devices to the victim’s cloud environment via credential reuse from personal accounts, and targeted system accounts with password spraying and brute forcing, which is successfully enabled by weak passwords and the absence of 2-step verification (2SV).

Once initial access has been gained, the actor is then capable of deploying highly sophisticated capabilities. Along with updated threat information, the advisory also provides mitigation advice on how to counter the evolving tactics of APT29. The NCSC assesses that APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear, is a cyber espionage group which almost certainly operates as part of Russia’s Foreign Intelligence Service.”

NCSC Director of Operations, Paul Chichester, said:

“We are resolute in our commitment to exposing malicious cyber activity, which includes raising awareness of changes in the behaviour of groups which persistently target the UK. The NCSC urges organisations to familiarise themselves with the intelligence and mitigation advice within the advisory to help defend their networks.”

Read more on this from the NCSC here.

George Allison
George has a degree in Cyber Security from Glasgow Caledonian University and has a keen interest in naval and cyber security matters and has appeared on national radio and television to discuss current events. George is on Twitter at @geoallison

17 COMMENTS

  1. Afternoon everyone.

    Do you recall several months back, there were accusations that “our surface fleet acts like porcupines – well-defended herbivores with limited offensive capabilities”?

    Why do I get the feeling that our cyber domain is no different. Lots of action on defending against attacks, beefing up cyber-security, enabling multi-factor authentication and all that (which of course I’m fully on-board with)… but what about dishing it back out?

    Do you think we’re doing similar attacks on their digital infrastructure? Chances are the public domain will never be made aware of it, but it does seem like we’re always on the defensive in this aspect. Perhaps therein lies the problem of having a society so dependant on the web.

    If we returned the favour in kind, would it be considered “below the threshold of war”? Or would Russia accuse us of unprovoked, provocative actions and take “necessary steps” to defend itself?

    What are anyone else’s thoughts?
    Cheers M@

    • Must admit it is all gobbledegook to me. I do recall the US uploaded something into Iranian techno computer thingies a few years ago. So yes, it is a two way street. My concern is the apparent dependence on these “systems” for vital services. I admired the old Warpac countries in a way, I know Rumania and Bulgaria at least had kept their “copper wire” communications systems intact for similar security concerns. And the Hereford mob made a beeline in Gulf 1 for Iraqi fibre optic cables. My limited knowledge WAS however tweaked during the pandemic. Apparently the army were playing domestic games to counter opposing views on Covid. In truth a whole government cell were too, using social media. The army denied it, a whistle blower and some sections of media confirmed they had. Frankly I prefer older, slower and reliable methods, too much dependence on tech can be a countries undoing.

      • That was 77 Bde regards social media influencing.
        And Russia, China and other anti western groups in our own country do that stuff all the time. So I have no issues with the army being involved.
        Look into 15 PSYOPS Group at Chicksands for some history there.

        • I have a deep distrust when a nations soldiers are used against the population in that way Daniele. Then I have a general distaste for spooks on any side. If, just if civil disorder becomes the norm? Then fine with me. On one level I do not count 77 as soldiers at all. Thats my view, l realise others might see it differently.

          • No worries John.
            Not just Soldiers, includes RN and RAF and Civil service. Plenty of military personnel are involved in “spook” stuff, most quite legitimate and vital.

    • The NCSC referred to in the article is the new name for GCHQs old CESG.
      They do defensive Cyber, as do, reportedly, the militaries JCUs, one of which is at Corsham and part of the CERT.
      The offensive side that you refer to is the domain of the “National Cyber Force” which has a big veil of secrecy surrounding it. GCHQ’s Cyber Operations Centre at the Donut is said to be involved, as are elements of the military, the SS, SIS, and DSTL.
      So yes, I believe we do conduct offensive cyber. It was admitted as such several years ago by HMG, but it is all classified as you rightly say.
      GCHQ has MORE than enough technical wizardry, hand in glove with NSA, to give it back.
      I think this grey zone stuff has been going on for years in a tit for tat fashion neither side will open up fully on. Best to keep our aces close for the big day if it ever happens.

      • Thanks Daniele, I’ll take a look at that. It makes me wonder how much of what we read about it in the public domain is actually true. I suspect there are facilities across the UK that act as redundancies if main sites/buildings go dark. I’d like to think we have some amazing aces on standby as you say.
        Cheers
        M@

        • Redundancies, I believe we do. All organisations have contingency plans, there are many back up data centres especially.
          Several military ones were got rid of after the Cold War, like the alternate HQ Land at ***, alternate CRC at Ash, alternate ADOC at Bentley Priory, and so on. Site 3, the alternate CGWHQ at Burlington is a well known one. There were plenty of others too.
          I’m aware of a few others still existent that are open source so can mention a few, but I need to be careful here.

          The BBC have a standby at Wood Norton, the Security Service have their alternate, reportedly, at Loughside, They also have a Remote Data Centre and the 3 Intelligence agencies share another Remote Data Centre. I’m aware of the location of both, as are some journalists, but a DA has been issued on one. Both have been mentioned by the ISC.

          A few years ago, another ISC report part detailed the SIS practicing decamping from VX to their alternate/contingency site. They did not say where of course, that part was redacted, but I myself have a place I suspect.😉 The GCHQ have an alternate, reportedly. Again, the site is well known, even if the functions are not.
          I look into all this stuff as a hobby and there are others “alleged” which I won’t go into here just incase there is no smoke without fire.

          Just to note again, ALL that I have just listed is available online on opensource websites. And I also think some of our vast “Defence” budget vanishes into this sort of thing.

    • I remember the Economist r reporting a few years ago that the US put a majority of its resources into counter espionage rather than defence so was left with the opposite concern to you!

    • Placing virtually everything on the web does seem like an own goal vulnerability. Indeed we functioned quite well before computerisation. While with it we are far more capable, we should always have “analogue” back ups in case the whole thing one day is rendered useless. Militarily, even more vital.

      • I’d read, not sure the truth in it, that FSB went back to typewriters as cannot be intercepted. I think it’s something called Tempest.

  2. Cloud based infrastructure must be one of the most ill thought out aquired technologies-if anything is driven more by ‘the bottom line’ at the expense of security I don’t know what it is

  3. This Cyber war stuff just got serious…… HMS Warrior’s Web Cam has been out all day…… It’s simply not cricket.

  4. Would be interesting to see Ulya and JohninMK’s views on here… if they can remember which account to use…..😎

LEAVE A REPLY

Please enter your comment!
Please enter your name here