Cloud Hacking, From Russia with Love

Blog AWS Security Cloud Infrastructure Cloud Security

Russian hackers are shifting their interest to the cloud, and have successfully breached cloud infrastructure. This is what a joint advisory issued by the U.K.’s National Cyber Security Centre (NCSC), the NSA, CISA, the FBI, and cybersecurity agencies from Australia, Canada, and New Zealand (also known as “The Five Eyes”)

The advisory details recent tactics, techniques and procedures (TTPs) of the Russian hacking  group known as APT29 (also known as Midnight Blizzard, the Dukes or Cozy Bear), which is associated with the Russian SVR.

Until recently, Russian Foreign Intelligence Service (SVR) cyber actors have targeted government entities, healthcare organizations, think tanks and energy facilities, mainly to obtain highly sensitive information for intelligence purposes. But now, these SVR actors are expanding their reach to include aviation, education, law enforcement, local and state councils, government financial departments and military organizations.

The most notable attacks carried our by these groups is the supply chain attack compromising software company SolarWinds  and a campaign that targeted organizations developing the COVID-19 vaccine.

APT29 has been around since 2008, and have evolved from hacking on-premise networks to supply chain attacks and now exploiting cloud services themselves.

The report outlines several TTPs used by APT29 to gain initial access to cloud environments, including:

Access via service and dormant accounts

The attack group has leveraged brute force and password spraying to access service accounts which are typically used to run and manage applications and services and are often also highly privileged, hence gaining access to such accounts provides attackers with privileged initial access to the victim network, enabling them to launch further operations. In addition, SVR campaigns have also targeted dormant accounts (belonging to users who no longer work at the organization) but whose accounts remain operational.

Using Cloud-based token authentication to bypass credentials

Access to cloud-based user accounts is typically authenticated by credentials (username and password ) or system-issued access tokens. SVR actors has been using tokens to access their victims’ accounts, without needing a password .

Enrolling new devices to the cloud

The SVR has sometimes managed to bypass password authentication on personal accounts using password spraying and credential reuse, and sometimes using  ‘MFA bombing’ (also known as: ‘MFA fatigue’), a technique in which the attacker repeatedly push Multi-factor Authentication requests to a victim’s device until the victim accepts the notification. Then the attacker registers it’s own device as a new device on the cloud tenant and gains access to the network.

Attack mitigation and identification

As for mitigation advice, the report includes the following best practices for system configuration:

  • Using multi-factor authentication (MFA)
  • Implementing strong password policies
  • Disabling inactive accounts
  • Implementing least privilege for service accounts
  • Configuring device enrollment policies

 

In addition, the report suggests to actively monitor suspicious activities, including monitoring a variety of information sources (such as application events and host-based logs).

Conclusion:

The SVR is a sophisticated, capable threat actor. It is now focusing its efforts on cloud infrastructure as well as more traditional breach methods. To quote the report:  “For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to protect against SVR’s TTPs for initial access. Once the SVR gain initial access, the actor is capable of deploying highly sophisticated post compromise capabilities”.

This means that in order to mitigate SVR-level attackers, organizations must improve their cloud security posture, their cloud red-teaming AND their real-time detection capabilities.

Subscribe to Skyhawk today for free!

Blog

We may have recently been exposed to the largest cyber campaign of all times, in which China managed to completely penetrate the communications infrastructure of its great rival, the United States.In doing so, gained access to huge amounts of invaluable

Cloud Breach
Blog

The global cloud market continues to grow rapidly, growing 23% year-over-year. This year, Google captured 13%, up from 10% last year. Google complements this impressive growth rate with an emphasis on privacy and security. The commitment to security is clear,

Cloud BreachCloud SecurityCSPM
Blog

Re:Invent has come to a close and we had a great week! We kicked off the week with our product announcement. Did you know that most threat actors (70%) are logging into the cloud – they are not “breaking in”.

Cloud BreachCloud SecurityThreat Detection
Blog

Skyhawk Security is proud to announce the expansion of its cloud threat detection and response capabilities with Interactive CDR. This new capability expands the team that can verify if an activity is malicious or not, by going to the alleged

AICloud BreachCloud SecurityThreat Detection
Blog

Skyhawk Security announces the availability of new features and integrations of its Autonomous Purple Team, aimed at extending detection and improving security validation as well as pre-validating threat detection alerts, to effectively manage the security of your cloud. The company

AICloud BreachCloud SecurityThreat Detection
Blog

By Asaf Shahar, VP, Product at Skyhawk Security Securing cloud environments presents unique challenges due to their constantly evolving nature. CERT-IL’s alert on public cloud threats (ALERT-CERT-IL-W-1810) underscores common vulnerabilities—exposed credentials, service misconfigurations, and inadequate tenant isolation—frequently exploited by attackers.

AICloud BreachCloud SecurityThreat Detection

Thanks For Reaching Out!

One of our expert will get back to you
promptly at asafshachar@gmail.com

See the Purple Team
See the breach before it happens
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.