UK and allies expose evolving tactics of Russian cyber actors


Malicious cyber actors linked to Russia’s Foreign Intelligence Service (SVR) are adapting their techniques in response to the increasing shift to cloud-based infrastructure, UK and international security officials have revealed.

In a new joint advisory, the National Cyber Security Centre (NCSC), which is a part of GCHQ, and agencies in the United States, Australia, Canada, and New Zealand have detailed how the threat group, which is known as APT29, has adapted its techniques for intelligence gain to target organisations that have moved to cloud-hosted environments.

Many of the sectors targeted by the SVR, including think tanks, healthcare, and education, have moved to cloud-based infrastructure, which means that traditional means of access - such as through the exploitation of software vulnerabilities – are more limited.

Instead, SVR actors have over the past 12 months been observed stealing system-issued access tokens to compromise victim accounts, enrolling new devices to the victim’s cloud environment via credential reuse from personal accounts, and targeted system accounts with password spraying and brute forcing, which is successfully enabled by weak passwords and the absence of 2-step verification (2SV).

Once initial access has been gained, the actor is then capable of deploying highly sophisticated capabilities.

Along with updated threat information, the advisory also provides mitigation advice on how to counter the evolving tactics of APT29. The NCSC assesses that APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear, is a cyber espionage group which almost certainly operates as part of Russia’s Foreign Intelligence Service.

NCSC Director of Operations, Paul Chichester, said:

“We are resolute in our commitment to exposing malicious cyber activity, which includes raising awareness of changes in the behaviour of groups which persistently target the UK.

“The NCSC urges organisations to familiarise themselves with the intelligence and mitigation advice within the advisory to help defend their networks.”

The NCSC has previously detailed how SVR actors have targeted governmental, think tank, healthcare, and energy targets for intelligence gain, and has more recently observed how their targeting has expanded to include aviation, education, law enforcement, local and state councils, government financial departments, and military organisations.

SVR cyber actors are most commonly known for the supply chain compromise of SolarWinds software in 2020 and the targeting of organisations involved in the development of the COVID-19 vaccine, also in 2020.

The advisory has been published jointly by the National Cyber Security Centre (NCSC), the US Cyber National Mission Force (CNMF), the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Signals Directorate (ASD), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC).

Find out more