Cozy Bear and other APTs changing tack as cloud adoption increases

Threat actors with links to the Russian state are changing up their tactics as more organisations migrate to cloud-based infrastructure, but the good news is that baseline cyber mitigation strategies are still remarkably effective against even sophisticated government hackers, the UK’s National Cyber Security Centre (NCSC) has said.

In an advisory published jointly with its allied Five Eyes agencies from Australia, Canada, New Zealand and the US, the NCSC focused in particular on the advanced persistent threat (APT) group referred to as APT29, which is widely known as Cozy Bear and other names such as Midnight Blizzard.

Cozy Bear is a unit linked at various times to both Moscow’s Federal Security Service (FSB) and its Foreign Intelligence Service (SVR), both successor agencies to the Soviet Union’s KGB. Cozy Bear is most famously linked to the SolarWinds Sunburst/Solorigate incident, and the 2016 hack of the Democratic National Committee.

“We are resolute in our commitment to exposing malicious cyber activity, which includes raising awareness of changes in the behaviour of groups which persistently target the UK,” said NCSC operations director Paul Chichester.

“The NCSC urges organisations to familiarise themselves with the intelligence and mitigation advice within the advisory to help defend their networks.”

The NCSC said that many of the sectors targeted by Cozy Bear, such as think tanks, government bodies, and organisations in the education and health sectors, have moved to cloud-based infrastructure – particularly in the wake of Covid-19 – meaning that more traditional means of access, such as exploiting common vulnerabilities and exposures (CVEs) in software products have become a bit more limited.

Instead, it has observed Russian threat actors adopting new techniques, such as stealing system-issued access tokens to compromise victim accounts, enrolling new devices to the victim’s cloud environment by reusing compromised credentials, and targeted system accounts with password-spraying and brute force attacks.

Such methods are often successfully enabled on the victims’ part thanks to weak password management policies, and the absence of multifactor authentication (MFA).

Having gained initial access, said the NCSC, the threat actor uses highly sophisticated post-compromise capabilities, such as MagicWeb, a technique first documented in 2022 by Microsoft’s threat research teams, so organisations at risk are being urged to pay particular attention to initial access methods.

As such, defenders may consider some of the following mitigations a good starting point, if they have not already been adopted:

• Implement MFA immediately to reduce the impact of password compromises;
• Enforce strong, unique passwords across MFA-protected accounts, and disable them when not needed with an appropriate policy in place to manage joiners, movers and leavers;
• Adopt the principles of least privilege (POLP) to control access to important IT resources;
• Create ‘canary’ service accounts that appear to be valid but are never used, and implement monitoring and alerting on them to spot signs that a threat actor may have accessed your environment;
• Enforce strict time limits on session lifetimes to minimise the opportunity for a threat actor to abuse stolen session tokens – being sure to pair this policy with an appropriate authentication method that doesn’t wind up legitimate users too much;
• Configure device enrolment policies to only allow authorised devices, using zero-touch enrolment where possible, or a strong form of MFA where self-enrolment must be used.
• Consider using a broader range of information sources, such as application events and host-based logs, to prevent, detect and investigate oddities, paying particular attention to sources and indicators of compromise (IoCs) that have a better rate of false positives.