A joint advisory by the U.K.'s National Cyber Security Centre, the NSA, CISA, the FBI, and cybersecurity agencies from Australia, Canada, and New Zealand highlights that the Russian threat group is shifting their focus to attacks on cloud infrastructure.

The APT29 hackers, also known as Cozy Bear, Midnight Blizzard, and The Dukes, have a history of breaching U.S. federal agencies and compromising Microsoft 365 accounts belonging to entities within NATO nations. Most recently, in November 2023, the Russian cyberspies breached the Exchange Online accounts of Microsoft executives and users from other organizations.

The advisory emphasizes that as organizations transition to cloud-based systems, the SVR hackers have adapted their tactics to target cloud services directly. They are gaining access to cloud environments by exploiting compromised access service account credentials, dormant accounts, stolen access tokens, compromised residential routers, MFA fatigue, and by registering their own devices on victims' cloud tenants.

To defend against APT29's evolving tactics, network defenders are advised to implement strong password policies, enable multi-factor authentication, follow the principle of least privilege for system and service accounts, create canary service accounts for quicker compromise detection, and reduce session lifetimes to prevent the use of stolen session tokens.

The Five Eyes allies underscore the importance of organizations adopting these mitigations to strengthen their defenses against the persistent threat posed by APT29. By being proactive in implementing these security measures, organizations can enhance their resilience against sophisticated cyber threats in the evolving landscape of cloud-based infrastructure.