By Cian Heasley, Threat Team Lead at Adarma, and Marco Bugu, Senior Threat Analyst at Adarma
In response to recent activity by APT 29, Adarma’s Threat Team conducted thorough research and developed tailored threat hunting content. This content is designed to scan customer environments for any indicators of similar activity, utilising recognised techniques associated with APT 29. Below, we provide an overview of our findings to date along with a series of recommendations to strengthen your organisation’s defences against similar attacks. If you’re interested in accessing our threat hunting resources, please reach out to the Adarma Threat Team at hello@adarma.com.
APT 29, also known as Cozy Bear, Midnight Blizzard, and Nobelium among the intelligence community, is a Russian threat group publicly linked to Russia’s Foreign Intelligence Service (SVR). Active since 2008, the group typically targets governments, critical infrastructure, political organisations and critical industries such as healthcare, finance and education.
The group gained notoriety in 2014 for its alleged attacks on the US White House and State Department and a breach of the Democratic National Committee in 2016. More recently, the group was linked to the 2020 SolarWinds supply chain attack, which impacted several organisations including Microsoft.
APT29’s latest attack on Microsoft, targeted the company’s internal systems after a legacy Microsoft test account was successfully compromised. The attack was disclosed by Microsoft as part of their ongoing commitment to responsible transparency as recently affirmed in their Secure Future Initiative. Microsoft stated that APT29 gained unauthorised access to and exfiltrated data from a limited number of their employee email accounts, compromising a fraction of their overall workforce. This subset included accounts of senior leadership members and individuals in cybersecurity, legal, and various departments within the organisation.
APT 29 employed open proxies and compromised routers within “residential” IP spaces. This strategy aimed to make their attacks appear as ordinary ISP user traffic, potentially located in the same geographical area as the legitimate users connecting to the targeted accounts.
As part of ATP 29’s attack strategy, the group used a technique known as Password Spray attack to compromise a legacy non-production test tenant account to gain initial access. This type of attack constitutes a form of brute force attack where an unauthorised user tries a single password across numerous accounts before proceeding to test a different one. Protecting against these kinds of attacks involves monitoring authorisation requests for suspicious patterns of failures and implementing strict security policies such as Multi-Factor Authentication (MFA) for all accounts.
Techniques such as Password Spray are often thought of as noisy, but in this case APT 29 were careful to only target a small subset of Microsoft accounts and restrict the number of passwords they guessed. Combining these evasive modifications, the Password Spray attack was carried out with the use of multiple proxies making detection more difficult and requiring different detection methods to a traditional brute force attack.
Incidents like this serve as a useful reminder for all organisations to assess their legacy systems. They should check if these systems are being closely monitored, how easily accessible they are from the internet, and whether accounts linked to these legacy environments are enabled. If enabled, it is essential to ensure they have the most up-to-date security controls mandated by internal security policy requirements such as MFA.
Here are 7 actions we recommend that organisations take to enhance their cyber resilience against APT 29.
1. Explore password elimination solutions like Windows Hello or FIDO2 security keys. Passwords are themselves a major cybersecurity risk, start planning for the obsolescence of passwords now.
2. Implement MFA across all accounts. Using SMS for MFA introduces further potential security issues, we recommend Time-Based One-Time Password (TOTP) authenticator apps or hardware security keys.
3. Ensure log ingestion and visibility across sensitive internal environments and confirm that authentication logs are being closely monitored for suspicious patterns of activity.
4. Utilise Role-Based Access Control (RBAC) for Applications in Exchange Online for precise and scalable access. The more granular your security controls are the greater chance you will prevent or catch malicious activity.
5. Strengthen on-premises security with Microsoft Entra Password Protection for Active Directory Domain Services.
6. Control app registration creation, requiring admin consent for application permissions, whether local or from another tenant. By default, users should have the least privileges needed for their roles.
7. Revisit detections in place to alert on evidence of techniques such as Password Spray to ensure that evasive variations will be caught.
We are Adarma, leaders in detection and response services. We specialise in designing, building and managing cybersecurity operations that deliver a measurable reduction in business risk. We are on a mission to make cyber resilience a reality for organisations around the world.
Our team of passionate Cyber Defenders work hand in hand with our customers to mitigate risk and maximise the value of their cybersecurity investments. Powered by the Adarma Threat Management Platform and optimised to our customers’ individual needs, we deliver an integrated set of services that improve your security posture, including best-in-class Managed Detection and Response services.
We operate with transparency and visibility across today’s hybrid-SOC environments to protect our customers as they innovate, transform, and grow their businesses. Adarma delivers the cybersecurity outcomes you need to make a remarkable difference.
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.
To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
