Cyberespionage operations by Russian threat operation APT29, also known as Cozy Bear, The Dukes, and Midnight Blizzard, were noted by the Five Eyes intelligence alliance to be pivoting toward intrusions against cloud infrastructure, according to BleepingComputer.
Cloud environments are being compromised by APT29 not only through previously breached access service account credentials but also via old employee accounts that were not disconnected by organizations, said the joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, and the UK's National Cyber Security Centre, as well as cybersecurity agencies in Canada, Australia, and New Zealand. Aside from leveraging exfiltrated access tokens to enable account hijacking, APT29 has also been concealing malicious activity via breached routers and evading multi-factor authentication through MFA fatigue, according to the advisory. "As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment," said the advisory.
Cloud environments are being compromised by APT29 not only through previously breached access service account credentials but also via old employee accounts that were not disconnected by organizations, said the joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency, National Security Agency, and the UK's National Cyber Security Centre, as well as cybersecurity agencies in Canada, Australia, and New Zealand. Aside from leveraging exfiltrated access tokens to enable account hijacking, APT29 has also been concealing malicious activity via breached routers and evading multi-factor authentication through MFA fatigue, according to the advisory. "As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment," said the advisory.
