Cyber Threat Report: 'SVR cyber actors adapt tactics for initial cloud access'
| Report Author | UK NCSC |
|---|---|
| Publication Date | 2024-02-26 |
| Original Reporting | Source |
| Attributed to Nation | Russia |
| Related Intrusion Sets | APT29 , Cozy Bear , The Dukes , Midnight Blizzard |
| Related Threat Actors | SVR - Russian Foreign Intelligence Service |
| Victim Sectors | Emergency Services, Aerospace, Energy, Education, Local Government, Non Profit, National Government, Healthcare |
This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors associated with the SVR (Russian intelligence services). Specifically, the NCSC link the activity to the intrusion set aliases Midnight Blizzard, the Dukes and Cozy Bear. The advisory details the modernisation of the actor's TTPs including their ability to target victims' cloud environments.
Cyber Threat Graph Context
Explore how this report relates to the wider threat graph
Mitigations to defend against the techniques in this report
Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Multi-factor Authentication
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.Account Use Policies
Configure features related to account use like login attempt lockouts, specific login times, etc.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Password Policies
Set and enforce secure password policies for accounts.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Identified MITRE ATT&CK Techniques
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1090.002 | External Proxy | Command and Control |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1110 | Brute Force | Credential Access |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1528 | Steal Application Access Token | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |