Russia's Cozy Bear dives into cloud environments with a new bag of tricks

Russia's notorious Cozy Bear, the crew behind the SolarWinds supply chain attack, has expanded its targets and evolved its techniques to break into organizations' cloud environments, according to the Five Eyes governments.

Cozy Bear, also known as APT29 and Midnight Blizzard, is a cyber espionage group linked to the Russian Foreign Intelligence Service (SVR). It's perhaps best known for backdooring SolarWinds' network monitoring software and then using that access to spy on the vendor's customers – including the US Treasury, Justice and Energy departments, and the Pentagon.

Microsoft was also among the high-profile victims that came to light in late 2020 and early 2021. Much more recently – just last month – Redmond disclosed that these same spies broke into some Microsoft corporate email accounts and stole stole internal messages and files.

Fast forward a month, and we're hearing that Cozy Bear has moved beyond its usual methods of gaining initial access – such as exploiting software bugs in on-premises networks – and is directly targeting victims' via cloud services.

Plus, they're branching out from their usual victims list, which included governmental, think tank, healthcare and energy targets for intelligence gain. In Monday's joint advisory, the Five Eyes revealed they have spotted the SVR-backed spies targeting aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.

Eight international agencies have signed onto the security alert. These include the UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber National Mission Force (CNMF), the Federal Bureau of Investigation (FBI), Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), the Canadian Centre for Cyber Security (CCCS), and New Zealand Government Communications Security Bureau (GCSB).

One of the ways in which Cozy Bear breaks into victims' cloud services is via brute forcing and password spraying attacks aimed at getting access to accounts used to manage apps and services, and to those belonging to users who no longer work at the victim org – in other words, which that aren't regularly monitored by a human.

Additionally, the Kremlin's spies frequently use tokens to access accounts, which allows them to eliminate the need for a password altogether. Or "on multiple occasions," Cozy Bear uses MFA bombing (also known as MFA fatigue attacks) to break in.

"Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant," the Five Eyes agencies warned.

"If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network," they added.

Another technique that the crew employs is the use of residential proxies, which make the network traffic look legitimate, since it appears to be originating from IP addresses within ISP ranges used for residential broadband customers.

• Microsoft sheds some light on Russian email heist – and how to learn from Redmond's mistakes
• HPE joins the 'our executive email was hacked by Russia' club
• Orgs are having a major identity crisis while crims reap the rewards
• ALPHV/BlackCat responsible for Change Healthcare cyberattack

We should also note that all of this sounds very similar to the techniques outlined by Microsoft, in its report about how the gang broke into its corporate email inboxes. 

First, a password spray attack that gave the gang access to a non-production Microsoft system that did not have MFA enabled. Then the intruders compromised a legacy test OAuth application, which they used to create additional malicious OAuth applications and access mailboxes. 

Cozy Bear also used residential proxies so the network traffic appeared to be coming from work-from-home staff.

"Once the SVR gain initial access, the actor is capable of deploying highly sophisticated post compromise capabilities such as MagicWeb," the cyber and intel agencies noted. "Therefore, mitigating against the SVR's initial access vectors is particularly important for network defenders."

The Reg readers may remember MagicWeb as the custom malware Cozy Bear used to maintain access to compromised Windows networks before being spotted by Microsoft in 2022. ®