State-linked threat actors are ramping up attacks on cloud services - here’s what you need to know

Cloud security concept image showing a digitalized cloud symbol with a padlock sitting on a circuit board.
(Image credit: Getty Images)

The Russian hacking group known as APT29, Midnight Blizzard, the Dukes, or Cozy Bear is adapting its techniques to attack organizations' cloud-hosted environments.

The UK's National Cyber Security Centre (NCSC), along with Five Eyes partners the US, Australia, Canada and New Zealand, has issued an advisory about the threat.

"We are resolute in our commitment to exposing malicious cyber activity, which includes raising awareness of changes in the behavior of groups which persistently target the UK," said NCSC director of operations Paul Chichester.

"The NCSC urges organizations to familiarize themselves with the intelligence and mitigation advice within the advisory to help defend their networks."

The group is best known for the supply chain compromise of SolarWinds software in 2020, as well as the targeting of organizations involved in the development of the Covid-19 vaccine in the same year.

Linked to Russia’s Foreign Intelligence Service (SVR), it has tended to target think tanks, healthcare, and education organizations, many of which have moved to cloud-based infrastructure.

NCSC analysis shows it’s now expanding operations to target aviation, education, law enforcement, local and state governments, government financial departments, and military organizations.

As organizations move to the cloud, the group has been forced to move beyond its traditional means of initial access, such as exploiting software vulnerabilities in an on-premise network.


Instead, it's started targeting the cloud services themselves, which means successfully authenticating to the cloud provider.

Over the past 12 months, the NCSC said SVR-linked actors have been spotted stealing system-issuing access tokens to compromise victim accounts, enrolling new devices to the victim’s cloud environment via credential reuse from personal accounts, and targeting system accounts with password spraying and brute forcing.

Once initial access has been gained, the actor is then capable of deploying highly sophisticated capabilities, the NCSC warned, such as MagicWeb, spotted in 2022 targeting government organizations, NGOs, intergovernmental organizations, and think tanks across the US, Europe, and Central Asia.

These techniques are made possible by weak passwords and the absence of two-step verification - and the Five Eyes partners are advising organizations on how to stay safe.

Organizations should use multi-factor authentication (MFA) where possible, or failing that, strong, unique passwords; user and system accounts should be disabled when no longer required, and system and service accounts should implement the principle of least privilege.

The NCSC also suggested creating 'canary service accounts' that appear to be valid service accounts but are never used by legitimate services. In doing so, organizations can monitor these accounts to show if they’ve been compromised and are being used by threat actors.

Session lifetimes should be kept as short as practical, and device enrolment policies should be configured to only permit authorized devices to enroll.

"As the world modernizes their systems, we need to do all we can to reduce the attack surface for cyber actors to penetrate," said Rob Joyce, director of cybersecurity for the US National Security Agency (NSA).

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.