#apt29

Hackers from Russia’s APT29 hijacked trusted websites to secretly steer visitors towards fake Cloudflare pages — but Amazon tracked and shut the operation before it could spread further.

Source: Recorded Future News | Amazon

Cybercriminals are constantly developing new and sophisticated methods to infiltrate organizations’ defenses. A recent attack campaign by the APT group, Earth Koshchei (also known as APT29 and Midnight Blizzard), highlights the evolving tactics used by malicious actors. This campaign involved rogue RDP attacks, where attackers leveraged red team tools for espionage and data exfiltration. Key…

Microsoft has recently issued a warning about a large-scale spear-phishing campaign attributed to the notorious Russian state-sponsored threat actor known as Midnight Blizzard. This campaign has targeted thousands of users at more than 100 organizations in the government, defense, academia, NGO, and other sectors, likely with the goal of collecting intelligence.

Who is Midnight Blizzard?

Midnight Blizzard, also known as APT29, Cozy Bear, the Dukes, and Yttrium, is a well-known threat actor that has been targeting these types of organizations, primarily in the United States and Europe. The group is known for recent attacks targeting Microsoft systems, in which they managed to steal source code and spy on executive emails.

The Latest Campaign

According to Microsoft, the latest campaign has been targeting the United Kingdom and other European countries, as well as Australia and Japan. The attacks are ongoing, and the company has shared indicators of compromise (IoCs) to help organizations detect potential attacks. One notable aspect of this campaign is the use of a signed RDP configuration file that connects to an attacker-controlled server. Once the target system is compromised, it connects to the actor-controlled server and exposes various resources, including local drives, clipboard contents, printers, and authentication features. This access could enable the threat actor to install malware or maintain persistent access even after the RDP session is closed.

Protecting Against Spear-Phishing Attacks

Emboldened and Evolving: NATO Cyber Threats snapshot

As NATO members and partners prepare for a landmark summit, the cyber threat must be considered. Empowered state-sponsored actors, hacktivists, and criminals are willing to cross lines and commit acts previously unthinkable to attack the Alliance. Besides military targets, NATO must address hybrid threats including APT44, Cyber Espionage & More harmful cyber activities against hospitals, civic society, and other targets, which could affect contingency resilience. The Ukraine crisis is linked to rising cyber risks, but many will grow separately and simultaneously.

NATO faces clandestine, aggressive cyber actors that gather intelligence, assault key infrastructure, and spread disinformation. Google is closely watching cyber threats, including those in this report, to safeguard its customers and businesses, but this is just a snapshot of a bigger and developing world.

What is Cyber espionage?

Cyber espionage is the act of stealing information without permission over the internet. It’s the digital version of traditional espionage

Cyber espionage

NATO’s enemies have long used Cyber Espionage to gain political, diplomatic, and military insight and acquire defence technologies and economic secrets. However, Alliance intelligence will be crucial in the coming months. This summit represents a transition time, with Mark Rutte as Secretary General and other changes planned to strengthen the Alliance’s defence posture and long-term support for Ukraine. Threat actor Cyber Espionage might weaken NATO’s strategic advantage and inform opponent leadership on how to oppose NATO’s investments and ambitions.

NATO faces global Cyber Espionage from various actors. Many still use simple but successful approaches like social engineering. Others have advanced their tradecraft to become formidable opponents for even the most skilled defenders.

APT29 (ICECAP)

APT29, attributed to the Russian Foreign Intelligence Services (SVR) by various governments, collects diplomatic and political intelligence on Europe and NATO member states. APT29 has committed several high-profile compromises of technology corporations that give public sector access. In the past year, Mandiant has seen APT29 target NATO member technology businesses and IT service providers to compromise government and policy organisations’ third-party and software supply chains.The actor is skilled in cloud environments and adept at disguising their tracks, making them hard to detect, monitor, and expel from infiltrated networks.

In addition to spear-phishing NATO members, APT29 has traditionally targeted diplomatic bodies. The actor has breached European and U.S. executive authorities multiple times. They have also targeted political parties in Germany and the U.S. to gather intelligence on potential government policy.

Cyberespionage from China

Recently, Chinese Cyber Espionage has shifted from noisy, easily identifiable operations to stealth. Technical advances have made defending harder and helped NATO member states attack government, military, and commercial targets.

Chinese Cyber Espionage increasingly uses:

Targeting the network edge and exploiting zero-day vulnerabilities in security devices and other internet-facing network infrastructure to limit defence detection. These operators have lowered their risk of user or control identification by using less social engineering. These hackers exploited 12 zero-days (software or hardware vulnerabilities unknown to the vendor, with no patch or fix available, and can be exploited before they can be addressed) in 2023, several in network edge security products. These devices are suitable beachheads in hacked networks because they lack endpoint detection.

Hiding harmful communications via operational relay box (ORB) networks. Threat actors use proxies to mask their malicious traffic on the internet, but proxy tracking is easy. Large ephemeral ORB networks of shared and hacked proxies are used by actors. These networks are hard to trace and hinder infrastructure intelligence sharing for defenders.

Live off the land to avoid defence detection. Some actors utilise non-malware means to break in. Live-off-the-land tactics exploit legitimate system tools, features, and functionalities to traverse networks and commit crimes. Without malware detection and intelligence sharing, defenders are at a disadvantage.

Not just Chinese threat actors use these methods. Russian actors APT29, APT28, and APT44 have employed them.

Cyberattacks that disrupt and destroy

Cyberattacks are increasing, threatening NATO directly and indirectly. Iranian and Russian state actors have been eager to attack NATO countries in recent years, but they have concealed behind phoney fronts that take credit. Mandiant described a 2022 damaging attack on Albania by a purported hacktivist group called “HomeLand Justice” that the U.S. Government subsequently ascribed to Iranian actors.

While demonstrating their ability to launch complex strikes on extremely sensitive operational technology systems in Ukraine, state actors are compromising NATO countries’ key infrastructure for future disruptions. These actors have the means and motivation to disrupt NATO’s key infrastructure.

In addition to state cyberattacks, hacktivist and criminal disruptions are no longer ignorable. Global hacktivist resurgence has caused major attacks on the public and private sectors, making illegal activity a national security threat.

APT44 Sandworm, Frozenbarents

Highly advanced cyber threat outfit APT44, also known as Sandworm, is thought to be backed by Russian military intelligence.

Espionage, disruption, and disinformation efforts are APT44’s specialties. For over a decade, they’ve carried out disruptive malware attacks including BlackEnergy and Industroyer.

APT44 summary:

APT44 has targeted essential infrastructure, government agencies, and international sports organisations. Since the Russia conflict, Ukraine has been a top target.

Tactics: APT44 has many tools to achieve its goals. Supply chain attacks, phishing emails, and software flaws are examples. They may use wiper malware to delete data and disrupt operations.

The range of APT44’s capabilities makes it worrisome. APT44 conducts espionage, sabotage, and influence operations, unlike many APT groups.

The global devastating hack NotPetya, Pyeongchang Olympic games strikes, and Ukraine outages have all been carried out by APT44. Russian military intelligence-linked actor has carried out technically complicated interruptions of sensitive operational systems and broad-effect damaging strikes. APT44 has carried out most disruptive assaults in Ukraine and minor attacks in NATO nations since the war.

PRESSTEA (Prestige) ransomware was used against Polish and Ukrainian logistics companies by APT44 in October 2022. The malware was unbreakable and damaging, maybe to demonstrate the group’s ability to harm supply routes carrying lethal aid to Ukraine. APT44’s risk-taking in using a disruptive capacity against a NATO member country is evident in this operation.

Hacktivists

Geopolitical flashpoints like the Russian invasion of Ukraine have sparked a global hacktivism revival. Despite focusing on NATO members, these actors have had mixed results. Many surgeries are meant to draw attention and create a false sense of uneasiness but cause no lasting damage.

These actors cannot be disregarded despite their flaws. Their attacks draw media attention in target countries and sometimes have catastrophic effects. One of their preferred methods, distributed denial-of-service (DDOS) attacks, are cosmetic but might be used to greater effect during elections. Hacktivists like pro-Russian organisation Cyber Army Russia Reborn (CARR) are also testing larger strikes on key infrastructure. CARR, which has questionable ties to APT44, has affected U.S., Polish, and French water systems in a series of basic but aggressive acts.

Cybercriminals

Ransomware-related financial disruptions are already disrupting NATO states’ essential infrastructure, causing hospital patient care, energy, and government service failures. Many crooks target this crucial infrastructure despite their promises. Russian-speaking criminals and North Korean state actors seeking espionage funding have regularly attacked U.S. and European healthcare institutions. This threat will likely grow due to these actors’ ability to operate from states with low cyber crime enforcement or extradition agreements and the lucrative nature of ransomware operations.

Information Operations and Disinformation

Information operations have grown in cyber threat activities over the past decade as wars and geopolitical tensions have increased. These operations range from “troll farm” social media manipulation to intricate network intrusions. Russian and Belarusian information operations have targeted NATO member nations to weaken the Alliance’s cohesiveness and goals.

Some Cyber Espionage operators who acquire clandestine intelligence also conduct information operations. In hack-and-leak activities, APT28 and COLDRIVER have used stolen data, while UNC1151 has used infiltration capabilities in more complicated information operations. False and misleading information is used to influence public opinion, foment strife, and advance political goals.

Google vigorously counters these activities across products, teams, and geographies where they break our standards and disrupt overt and covert information operations campaigns. They report quarterly in the TAG Bulletin on YouTube channel disruptions, blogs, AdSense accounts, and URLs deleted from Google News surfaces.

Information Operations of Prigozhin Survive

Former Russian industrialist Yevgeniy Prigozhin’s disinformation empire continues, albeit less efficiently, after his death. These campaigns continue to spread disinformation and pro-Russia narratives on many social media platforms, recently emphasising alternative sites, across multiple regions.

These efforts advocate for NATO’s disarmament and claim it causes global instability. They criticise NATO leaders too. These commercials’ substance is heavily influenced by geopolitical events like Russia’s 2022 invasion of Ukraine and other Russian strategic aims. NATO and its member states’ backing for Ukraine has made the Alliance a major target directly and indirectly by becoming involved in matters against Russia’s strategic interests.

COLDRIVER

Russian Cyber Espionage actor COLDRIVER has been linked to the Federal Security Service. The actor often conducts credential phishing attempts against prominent NGOs and retired intelligence and military leaders. The hack-and-leak operation employed victim mailbox data stolen by COLDRIVER. In 2022, COLDRIVER leaked information to deepen Brexit-related political divides in the UK.

Before that, the actor revealed U.S.-UK trade deals before the 2019 UK election. Originally targeting NATO countries, COLDRIVER expanded in 2022 to include the Ukrainian government and conflict supporters. In March 2022, COLDRIVER campaigns targeted numerous European militaries and a NATO Centre of Excellence for the first time.

The Russian intelligence hacking group, known as APT29 or Cozy Bear, is adjusting its tactics in response to the corporate shift toward cloud infrastructure. International cyber agencies have issued an alert regarding this development.

Background

Also referred to as Midnight Blizzard and the Dukes, this threat actor operates under the umbrella of the Russian Foreign Intelligence Service. In 2021, the Biden administration publicly attributed APT29 to the backdooring of IT infrastructure software developed by SolarWinds.

Hacking Techniques

- Brute-Forcing Passwords: APT29 employs brute-force attacks on dormant accounts and service accounts used for automated API calls. - Targeting Service Accounts: Service accounts, lacking multifactor authentication, are attractive targets for the group.

Security Concerns

As enterprises increasingly rely on remote infrastructure to drive their core business, security dynamics have shifted. While this change may alleviate some concerns, it also introduces a new generation of security threats. Worldwide spending on public cloud providers, including AWS and Google, is projected to reach $679 billion this year, according to consultancy firm Gartner. Within the next five years, most organizations are expected to view cloud platforms as a “business necessity” rather than merely an “innovation facilitator” or a “business disruptor.” Intelligence agencies have raised alarms about the intensification of worldwide cyber espionage activities by APT29, in the backdrop of Moscow's continued aggression towards Ukraine. In November, cyber guardians from Kyiv pointed fingers at APT29 for masterminding assaults on numerous country's embassies.

APT29's Intrusion into Microsoft

In a revelation made by Microsoft in January, it was found that APT29 had pilfered emails and documents from the accounts of high-ranking officials and staff members within its cybersecurity and legal divisions. APT29's Tactics APT29 employs several strategies to infiltrate systems: - Token Theft: They pilfer cloud-based authentication tokens, enabling them to gain access to accounts without needing a password. - MFA Bombing: This technique involves the persistent pushing of logon validation requests to the victim's devices until they inadvertently or out of frustration authorize the logon, thereby bypassing multifactor authentication.

Persistence and Camouflage