Malicious cyber actors linked to Russia’s Foreign Intelligence Service (SVR) are adapting their techniques in response to the increasing shift to cloud-based infrastructure, UK and international security officials have revealed.

In a new joint advisory, the National Cyber Security Centre (NCSC), which is a part of GCHQ, and agencies in the United States, Australia, Canada, and New Zealand have detailed how the threat group, which is known as APT29, has adapted its techniques for intelligence gain to target organisations that have moved to cloud-hosted environments.

According to the agency:

“Many of the sectors targeted by the SVR, including think tanks, healthcare, and education, have moved to cloud-based infrastructure, which means that traditional means of access – such as through the exploitation of software vulnerabilities – are more limited.

Instead, SVR actors have over the past 12 months been observed stealing system-issued access tokens to compromise victim accounts, enrolling new devices to the victim’s cloud environment via credential reuse from personal accounts, and targeted system accounts with password spraying and brute forcing, which is successfully enabled by weak passwords and the absence of 2-step verification (2SV).

Once initial access has been gained, the actor is then capable of deploying highly sophisticated capabilities. Along with updated threat information, the advisory also provides mitigation advice on how to counter the evolving tactics of APT29. The NCSC assesses that APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear, is a cyber espionage group which almost certainly operates as part of Russia’s Foreign Intelligence Service.”

NCSC Director of Operations, Paul Chichester, said:

“We are resolute in our commitment to exposing malicious cyber activity, which includes raising awareness of changes in the behaviour of groups which persistently target the UK. The NCSC urges organisations to familiarise themselves with the intelligence and mitigation advice within the advisory to help defend their networks.”

Read more on this from the NCSC here.

Avatar photo
George has a degree in Cyber Security from Glasgow Caledonian University and has a keen interest in naval and cyber security matters and has appeared on national radio and television to discuss current events. George is on Twitter at @geoallison
Subscribe
Notify of
guest

17 Comments
oldest
newest
Inline Feedbacks
View all comments

Matt
Matt (@guest_798567)
3 months ago

Afternoon everyone. Do you recall several months back, there were accusations that “our surface fleet acts like porcupines – well-defended herbivores with limited offensive capabilities”? Why do I get the feeling that our cyber domain is no different. Lots of action on defending against attacks, beefing up cyber-security, enabling multi-factor authentication and all that (which of course I’m fully on-board with)… but what about dishing it back out? Do you think we’re doing similar attacks on their digital infrastructure? Chances are the public domain will never be made aware of it, but it does seem like we’re always on the… Read more »

John
John (@guest_798610)
3 months ago
Reply to  Matt

Must admit it is all gobbledegook to me. I do recall the US uploaded something into Iranian techno computer thingies a few years ago. So yes, it is a two way street. My concern is the apparent dependence on these “systems” for vital services. I admired the old Warpac countries in a way, I know Rumania and Bulgaria at least had kept their “copper wire” communications systems intact for similar security concerns. And the Hereford mob made a beeline in Gulf 1 for Iraqi fibre optic cables. My limited knowledge WAS however tweaked during the pandemic. Apparently the army were… Read more »

Daniele Mandelli
Daniele Mandelli (@guest_798633)
3 months ago
Reply to  John

That was 77 Bde regards social media influencing.
And Russia, China and other anti western groups in our own country do that stuff all the time. So I have no issues with the army being involved.
Look into 15 PSYOPS Group at Chicksands for some history there.

John
John (@guest_798641)
3 months ago

I have a deep distrust when a nations soldiers are used against the population in that way Daniele. Then I have a general distaste for spooks on any side. If, just if civil disorder becomes the norm? Then fine with me. On one level I do not count 77 as soldiers at all. Thats my view, l realise others might see it differently.

Daniele Mandelli
Daniele Mandelli (@guest_798654)
3 months ago
Reply to  John

No worries John.
Not just Soldiers, includes RN and RAF and Civil service. Plenty of military personnel are involved in “spook” stuff, most quite legitimate and vital.

Daniele Mandelli
Daniele Mandelli (@guest_798629)
3 months ago
Reply to  Matt

The NCSC referred to in the article is the new name for GCHQs old CESG. They do defensive Cyber, as do, reportedly, the militaries JCUs, one of which is at Corsham and part of the CERT. The offensive side that you refer to is the domain of the “National Cyber Force” which has a big veil of secrecy surrounding it. GCHQ’s Cyber Operations Centre at the Donut is said to be involved, as are elements of the military, the SS, SIS, and DSTL. So yes, I believe we do conduct offensive cyber. It was admitted as such several years ago… Read more »

Matt
Matt (@guest_798656)
3 months ago

Thanks Daniele, I’ll take a look at that. It makes me wonder how much of what we read about it in the public domain is actually true. I suspect there are facilities across the UK that act as redundancies if main sites/buildings go dark. I’d like to think we have some amazing aces on standby as you say.
Cheers
M@

Daniele Mandelli
Daniele Mandelli (@guest_798662)
3 months ago
Reply to  Matt

Redundancies, I believe we do. All organisations have contingency plans, there are many back up data centres especially. Several military ones were got rid of after the Cold War, like the alternate HQ Land at ***, alternate CRC at Ash, alternate ADOC at Bentley Priory, and so on. Site 3, the alternate CGWHQ at Burlington is a well known one. There were plenty of others too. I’m aware of a few others still existent that are open source so can mention a few, but I need to be careful here. The BBC have a standby at Wood Norton, the Security… Read more »

Wizzam
Wizzam (@guest_798639)
3 months ago
Reply to  Matt

I remember the Economist r reporting a few years ago that the US put a majority of its resources into counter espionage rather than defence so was left with the opposite concern to you!

Frank62
Frank62 (@guest_798728)
3 months ago
Reply to  Matt

Placing virtually everything on the web does seem like an own goal vulnerability. Indeed we functioned quite well before computerisation. While with it we are far more capable, we should always have “analogue” back ups in case the whole thing one day is rendered useless. Militarily, even more vital.

Daniele Mandelli
Daniele Mandelli (@guest_798749)
3 months ago
Reply to  Frank62

I’d read, not sure the truth in it, that FSB went back to typewriters as cannot be intercepted. I think it’s something called Tempest.

grizzler
grizzler (@guest_798609)
3 months ago

Cloud based infrastructure must be one of the most ill thought out aquired technologies-if anything is driven more by ‘the bottom line’ at the expense of security I don’t know what it is

Frank
Frank (@guest_798622)
3 months ago

This Cyber war stuff just got serious…… HMS Warrior’s Web Cam has been out all day…… It’s simply not cricket.

Daniele Mandelli
Daniele Mandelli (@guest_798634)
3 months ago
Reply to  Frank

Mate….you’ve gotta fight this…..😄

Frank
Frank (@guest_798642)
3 months ago

The plan is to head there tomorrow….. I got a pretty good Chinese Web Cam set up off eBay a while back ….. It’s going to be a bit of a trip down memory lane scrambling up to the Crows nest but I’m not too old yet…. just wish me luck !

Daniele Mandelli
Daniele Mandelli (@guest_798651)
3 months ago
Reply to  Frank

🤪💣

Frank
Frank (@guest_798743)
3 months ago

Would be interesting to see Ulya and JohninMK’s views on here… if they can remember which account to use…..😎