Five Eyes nations warn of evolving Russian cyberespionage practices targeting cloud environments

The advisory issued by the U.K.'s National Cyber Security Centre breaks down tactics and techniques from SVR hacking ops.
Russian President Vladimir Putin delivers a speech standing in front of the monument "Fatherland, Valor, Honor" outside of the Foreign Intelligence Service of the Russian Federation (SVR) in Moscow on June 30, 2022. (Photo by MIKHAIL METZEL/Sputnik/AFP via Getty Images)

Longstanding cyberespionage and data collection units tied to Russia’s Foreign Intelligence Service (SVR) are evolving their techniques to gain access to cloud environments, the British, U.S. and partner governments said in an advisory Monday.

The advisory — issued by the U.K.’s National Cyber Security Centre and co-signed by a range of counterpart agencies in the U.S., Australia, Canada and New Zealand — details the evolving tactics, techniques and procedures that SVR hacking operations, tracked widely under the “APT29” and “Cozy Bear” monikers, are employing to penetrate the increasing number of cloud environments used by both private and public organizations.

APT29 operations are considered highly sophisticated and have been tracked since at least 2014, targeting a wide range of North American and European industries, including biotechnology, government, nonprofits, telecommunications and think tanks, according to an April 2022 report from Mandiant.

The U.S. government, for instance, attributed to APT29 the 2020 SolarWinds supply chain attack, one of the most consequential cyberespionage operations in recent years.


Even still, the agencies said Monday, basic cloud security measures can go a long way toward stymieing APT29 efforts.

“The SVR is a sophisticated actor capable of carrying out a global supply chain compromise such as the 2020 SolarWinds, however the guidance in this advisory shows that a strong baseline of cyber security fundamentals can help defend from such actors,” the notice read.

Attackers must first successfully authenticate to the cloud provider, the notice read, so basic steps can go a long way. Some of those steps include regularly evaluating and disabling dormant accounts that could be tied to employees who are no longer with organizations, working with cloud providers to limit the validity time of system-issued tokens (which enable logins without passwords), and more stringent device-enrollment policies.

The Cybersecurity and Infrastructure Security Agency has also shared best practices for business-oriented cloud environments through its Secure Cloud Business Applications (SCuBA) project, the advisory said.

Latest Podcasts