{ "id": "48b9a489-cd4f-4ad2-a31d-21eff9f997cc", "created_at": "2026-04-06T00:07:12.446015Z", "updated_at": "2026-04-10T13:12:58.248089Z", "deleted_at": null, "sha1_hash": "9990f299a4164e4ebb17338dc2faffb10ac4c9a9", "title": "SVR Cyber Actors Adapt Tactics for Initial Cloud Access | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 77766, "plain_text": "SVR Cyber Actors Adapt Tactics for Initial Cloud Access | CISA\r\nPublished: 2024-02-26 · Archived: 2026-04-05 14:50:16 UTC\r\nHow SVR-Attributed Actors are Adapting to the Move of Government and Corporations to Cloud\r\nInfrastructure\r\nOVERVIEW\r\nThis advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29,\r\nalso known as Midnight Blizzard, the Dukes, or Cozy Bear.\r\nThe UK National Cyber Security Centre (NCSC) and international partners assess that APT29 is a cyber\r\nespionage group, almost certainly part of the SVR, an element of the Russian intelligence services. The US\r\nNational Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber\r\nNational Mission Force (CNMF), the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s\r\nAustralian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and New\r\nZealand Government Communications Security Bureau (GCSB) agree with this attribution and the details\r\nprovided in this advisory.\r\nThis advisory provides an overview of TTPs deployed by the actor to gain initial access into the cloud\r\nenvironment and includes advice to detect and mitigate this activity.\r\nTo download the PDF version of this report, click here .\r\nPREVIOUS ACTOR ACTIVITY\r\nThe NCSC has previously detailed how Russian Foreign Intelligence Service (SVR) cyber actors have targeted\r\ngovernmental, think tank, healthcare, and energy targets for intelligence gain. It has now observed SVR actors\r\nexpanding their targeting to include aviation, education, law enforcement, local and state councils, government\r\nfinancial departments, and military organizations.\r\nSVR actors are also known for:\r\nThe supply chain compromise of SolarWinds software .\r\nActivity that targeted organizations developing the COVID-19 vaccine .\r\nEVOLVING TTPs\r\nAs organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has\r\nadapted to these changes in the operating environment.\r\nThey have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in\r\nan on-premises network, and instead target the cloud services themselves.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a\r\nPage 1 of 5\n\nTo access the majority of the victims’ cloud hosted network, actors must first successfully authenticate to the\r\ncloud provider. Denying initial access to the cloud environment can prohibit SVR from successfully\r\ncompromising their target. In contrast, in an on-premises system, more of the network is typically exposed to\r\nthreat actors.\r\nBelow describes in more detail how SVR actors are adapting to continue their cyber operations for intelligence\r\ngain. These TTPs have been observed in the last 12 months.\r\nACCESS VIA SERVICE AND DORMANT ACCOUNTS\r\nPrevious SVR campaigns reveal the actors have successfully used brute forcing [T1110 ] and password spraying\r\nto access service accounts. This type of account is typically used to run and manage applications and services.\r\nThere is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA),\r\nmaking these accounts more susceptible to a successful compromise. Service accounts are often also highly\r\nprivileged depending on which applications and services they’re responsible for managing. Gaining access to\r\nthese accounts provides threat actors with privileged initial access to a network, to launch further operations.\r\nSVR campaigns have also targeted dormant accounts belonging to users who no longer work at a victim\r\norganization but whose accounts remain on the system [T1078.004 ].\r\nFollowing an enforced password reset for all users during an incident, SVR actors have also been observed\r\nlogging into inactive accounts and following instructions to reset the password. This has allowed the actor to\r\nregain access following incident response eviction activities.\r\nCLOUD-BASED TOKEN AUTHENTICATION\r\nAccount access is typically authenticated by either username and password credentials or system-issued access\r\ntokens. The NCSC and partners have observed SVR actors using tokens to access their victims’ accounts, without\r\nneeding a password [T1528 ].\r\nThe default validity time of system-issued tokens varies dependent on the system; however, cloud platforms\r\nshould allow administrators to adjust the validity time as appropriate for their users. More information can be\r\nfound on this in the mitigations section of this advisory.\r\nENROLLING NEW DEVICES TO THE CLOUD\r\nOn multiple occasions, the SVR have successfully bypassed password authentication on personal accounts using\r\npassword spraying and credential reuse. SVR actors have also then bypassed MFA through a technique known as\r\n“MFA bombing” or “MFA fatigue,” in which the actors repeatedly push MFA requests to a victim’s device until\r\nthe victim accepts the notification [T1621 ].\r\nOnce an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been\r\nobserved registering their own device as a new device on the cloud tenant [T1098.005 ]. If device validation\r\nrules are not set up, SVR actors can successfully register their own device and gain access to the network.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a\r\nPage 2 of 5\n\nBy configuring the network with device enrollment policies, there have been instances where these measures have\r\ndefended against SVR actors and denied them access to the cloud tenant.\r\nRESIDENTIAL PROXIES\r\nAs network-level defenses improve detection of suspicious activity, SVR actors have looked at other ways to stay\r\ncovert on the internet. A TTP associated with this actor is the use of residential proxies [T1090.002 ]. Residential\r\nproxies typically make traffic appear to originate from IP addresses within internet service provider (ISP) ranges\r\nused for residential broadband customers and hide the true source. This can make it harder to distinguish\r\nmalicious connections from typical users. This reduces the effectiveness of network defenses that use IP addresses\r\nas indicators of compromise, and so it is important to consider a variety of information sources such as application\r\nand host-based logging for detecting suspicious activity.\r\nCONCLUSION\r\nThe SVR is a sophisticated actor capable of carrying out a global supply chain compromise such as the 2020\r\nSolarWinds, however the guidance in this advisory shows that a strong baseline of cyber security fundamentals\r\ncan help defend from such actors.\r\nFor organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR\r\nshould be to protect against SVR’s TTPs for initial access. By following the mitigations outlined in this advisory,\r\norganizations will be in a stronger position to defend against this threat.\r\nOnce the SVR gain initial access, the actor is capable of deploying highly sophisticated post compromise\r\ncapabilities such as MagicWeb , as reported in 2022. Therefore, mitigating against the SVR’s initial access\r\nvectors is particularly important for network defenders.\r\nCISA have also produced guidance through their Secure Cloud Business Applications (SCuBA) Project which is\r\ndesigned to protect assets stored in cloud environments.\r\nSome of the TTPs listed in this report, such as residential proxies and exploitation of system accounts, are similar\r\nto those reported as recently as January 2024 by Microsoft .\r\nMITRE ATT\u0026CK®\r\nThis report has been compiled with respect to the MITRE ATT\u0026CK® framework, a globally accessible\r\nknowledge base of adversary tactics and techniques based on real-world observations.\r\nTactic ID Technique Procedure\r\nCredential\r\nAccess\r\nT1110 Brute Force\r\nThe SVR use password spraying and brute\r\nforcing as an initial infection vector.\r\nInitial Access\r\nT1078.004 Valid Accounts: Cloud\r\nAccounts\r\nThe SVR use compromised credentials to gain\r\naccess to accounts for cloud services, including\r\nsystem and dormant accounts.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a\r\nPage 3 of 5\n\nTactic ID Technique Procedure\r\nCredential\r\nAccess\r\nT1528\r\nSteal Application\r\nAccess Token\r\nThe SVR use stolen access tokens to login to\r\naccounts without the need for passwords.\r\nCredential\r\nAccess\r\nT1621\r\nMulti-Factor\r\nAuthentication Request\r\nGeneration\r\nThe SVR repeatedly push MFA requests to a\r\nvictim’s device until the victim accepts the\r\nnotification, providing SVR access to the\r\naccount.\r\nCommand\r\nand Control\r\nT1090.002\r\nProxy: External Proxy\r\nThe SVR use open proxies in residential IP\r\nranges to blend in with expected IP address\r\npools in access logs.\r\nPersistence\r\nT1098.005 Account Manipulation:\r\nDevice Registration\r\nThe SVR attempt to register their own device\r\non the cloud tenant after acquiring access to\r\naccounts.\r\nMITIGATION AND DETECTION\r\nA number of mitigations will be useful in defending against the activity described in this advisory: \r\nUse multi-factor authentication (/2-factor authentication/two-step verification) to reduce the impact of\r\npassword compromises. See NCSC guidance: Multifactor Authentication for Online Services and Setting\r\nup 2-Step Verification (2SV) .\r\nAccounts that cannot use 2SV should have strong, unique passwords. User and system accounts should be\r\ndisabled when no longer required with a “joiners, movers, and leavers” process in place and regular\r\nreviews to identify and disable inactive/dormant accounts. See NCSC guidance: 10 Steps to Cyber Security\r\n.\r\nSystem and service accounts should implement the principle of least privilege, providing tightly scoped\r\naccess to resources required for the service to function.\r\nCanary service accounts should be created which appear to be valid service accounts but are never used by\r\nlegitimate services. Monitoring and alerting on the use of these account provides a high confidence signal\r\nthat they are being used illegitimately and should be investigated urgently.\r\nSession lifetimes should be kept as short as practical to reduce the window of opportunity for an adversary\r\nto use stolen session tokens. This should be paired with a suitable authentication method that strikes a\r\nbalance between regular user authentication and user experience.\r\nEnsure device enrollment policies are configured to only permit authorized devices to enroll. Use zero-touch enrollment where possible, or if self-enrollment is required then use a strong form of 2SV that is\r\nresistant to phishing and prompt bombing. Old devices should be prevented from (re)enrolling when no\r\nlonger required. See NCSC guidance: Device Security Guidance .\r\nConsider a variety of information sources such as application events and host-based logs to help prevent,\r\ndetect and investigate potential malicious behavior. Focus on the information sources and indicators of\r\ncompromise that have a better rate of false positives. For example, looking for changes to user agent strings\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a\r\nPage 4 of 5\n\nthat could indicate session hijacking may be more effective than trying to identify connections from\r\nsuspicious IP addresses. See NCSC guidance: Introduction to Logging for Security Purposes .\r\nDISCLAIMER\r\nThis report draws on information derived from NCSC and industry sources. Any NCSC findings and\r\nrecommendations made have not been provided with the intention of avoiding all risks and following the\r\nrecommendations will not remove all such risk. Ownership of information risks remains with the relevant system\r\nowner at all times.\r\nThis information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other\r\nUK information legislation.\r\nRefer any FOIA queries to ncscinfoleg@ncsc.gov.uk .\r\nAll material is UK Crown Copyright.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a" ], "report_names": [ "aa24-057a" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434032, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9990f299a4164e4ebb17338dc2faffb10ac4c9a9.pdf", "text": "https://archive.orkl.eu/9990f299a4164e4ebb17338dc2faffb10ac4c9a9.txt", "img": "https://archive.orkl.eu/9990f299a4164e4ebb17338dc2faffb10ac4c9a9.jpg" } }