An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Feb. 26, 2024

Russian Cyber Actors Target Cloud-Hosted Infrastructure

FORT MEADE, MD. – The National Security Agency (NSA) joins the UK National Cyber Security Centre (NCSC-UK) and other partners in releasing the Cybersecurity Advisory (CSA), “SVR Cyber Actors Adapt Tactics for Initial Cloud Access.” The CSA outlines how Russia-based cyber actors are adapting their tactics, techniques, and procedures (TTPs) to infiltrate and access intelligence hosted in cloud environments as a growing number of targets store data in the cloud.
 
The cyber actors – commonly known as APT29, Midnight Blizzard, the Dukes, or Cozy Bear, and almost certainly associated with the Russian foreign intelligence service (SVR) – primarily gain access to cloud-based systems by logging into automated system accounts and inactive accounts via TTPs such as password spraying and brute forcing. These types of accounts often do not use multifactor authentication and have weak passwords, making them susceptible to the SVR actors’ techniques. According to the CSA, once inside a target’s cloud environment, the actors have successfully used system issued tokens or registered their own devices to maintain a presence in the system. The CSA also highlights a new TTP associated with these actors as the use of residential proxies to obscure their access and make suspicious activity harder to identify.
 
This CSA also provides indicators of compromise and recommends enforcing good cybersecurity fundamentals, including system account management, short token validity time periods, conditional access policies, device enrollment, strong password enforcement, multifactor authentication, and system updates.
 
“We often say, ‘cybersecurity is national security,’ and the Cybersecurity Advisory we are publishing today shows why,” said Rob Joyce, NSA’s director of Cybersecurity. “We, along with our valued partners in the U.K., have seen the potential for Russian state actors to infiltrate cloud environments and we’re responding accordingly. As the world modernizes their systems, we need to do all we can to reduce the attack surface for cyber actors to penetrate.”
 
The NCSC-UK has previously detailed how the SVR actors target the governmental, think tank, healthcare, and energy sectors. The CSA describes that SVR actors’ targeting has expanded to include aviation, education, law enforcement, local and state governments, government financial departments, and military organizations.
 
The cyber actors are also known for involvement in the supply chain compromise of SolarWinds software, targeting of COVID-19 vaccine development in 2016, and the breach of Democratic National Committee communications in 2015.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

Related Press Advisories

Combatting Cyber Threat Actors Perpetrating Living Off the Land Intrusions
NSA and Partners Spotlight People’s Republic of China Targeting of U.S. Critical Infrastructure
csd cybersecurity cloud SVR Cozy Bear Midnight Blizzard
Hosted by Defense Media Activity - WEB.mil Veterans Crisis Line