CISA and other U.S. and international partners including the U.K. National Cyber Security Centre (NCSC), released a joint advisory yesterday - SVR Cyber Actors Adapt Tactics for Initial Cloud Access. The advisory provides information regarding the Russian Foreign Intelligence Service (SVR) – also known as CozyBear, APT29, the Dukes, and Nobelium/Midnight Blizzard – and focuses on the recent tactics, techniques, and procedures (TTPs) used by the SVR cyber actors to gain access to cloud environments. As government and corporations move infrastructure to the cloud, SVR actors are adapting their tactics. This advisory provides valuable insights into how these threat actors have been targeting certain sectors for intelligence and how they have recently begun expanding their targeting and evolving their tactics. The advisory was also created with respect to the MITRE ATT&CK® Framework and includes guidance and resources for mitigation and detection of these tactics.
WaterISAC and the authoring agencies encourage network defenders and organizations to review the joint advisory for recommended mitigations. For more information on APT29, see joint CSA Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally or visit CISA’s Russia Cyber Threat Overview and Advisories page. For more guidance on cloud security best practices, see CISA’s Secure Cloud Business Applications (SCuBA) Project.