Russian threat actor expanding its target list, warns Five Eyes report

The Russian threat group known to researchers by several names, including APT29,  Midnight Blizzard, the Dukes, or Cozy Bear, is broadening its targets to cloud-based services, warn the Five Eyes nations that share intelligence.

In a report issued Monday, the partners — including the U.S., the U.K., Canada, Australia and New Zealand — said APT29 is expanding its targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations. And it’s going after the cloud services these organizations have.

“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment,” the report explains.

Until recently, this group focused mainly on governmental, think tank, healthcare, and energy targets for intelligence gain.

But arguably it’s best known for compromising the software update mechanism of SolarWinds’ Orion network management suite in 2019 to spread malware.

APT29 is a cyber espionage group, “almost certainly part of the SVR, an element of the Russian intelligence services,” the report says.

In previous SVR campaigns, the actors successfully used brute forcing and password spraying to access service accounts that run and manage applications and services, the report says.

In attacking cloud services, SVR actors have been seen using system-issued tokens to access their victims’ accounts, without needing a password.

The SVR successfully bypasses password authentication on personal accounts using password spraying and credential reuse. SVR actors have also then bypassed MFA through a technique known as “MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until the victim accepts the notification, the report says.

Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own devices as new devices on the cloud tenant. If device validation rules are not set up, SVR actors can successfully register their own devices and gain access to the network.

Another SVR tactic is the use of residential proxies, which make traffic appear to originate from IP addresses within internet service provider (ISP) ranges used for residential broadband customers and hide the true source. This can make it harder to distinguish malicious connections from typical users, the report says.

A strong baseline of cyber security fundamentals can help defend from such actors, the report says. For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to lower the odds of an initial network compromise.

More details are available in the report itself.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.