CISA Warns Against Russian Cloud Hacking Tactics

The U.S. Cybersecurity and Infrastructure Security Agency (CISA),  the UK National Cyber Security Centre (NCSC), and other international partners have jointly released an advisory warning of tactics and techniques employed by Russian Foreign Intelligence Service (SVR) hackers to breach cloud systems.

CISA warned that hackers have transcended conventional methods of initial access, like exploiting software vulnerabilities in on-premise networks, and shifted their focus to targeting the cloud services directly.

“Previous SVR campaigns reveal the actors have successfully used brute forcing (T1110) and password spraying to access service accounts. This type of account is typically used to run and manage applications and services. There is no human user behind them so they cannot be easily protected with multi-factor authentication (MFA), making these accounts more susceptible to a successful compromise,” the advisory stated.

The advisory recommends multi-factor authentication, strong passwords for non-2SV accounts, unused "canary" service accounts, shorter session lifetimes, authorized device policies, and diverse data sources for threat defense.

Other bodies part of the advisory group includes the U.S. National Security Agency (NSA), the U.S. Cyber National Mission Force (CNMF), the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and New Zealand Government Communications Security Bureau (GCSB).

Last month, CISA announced the establishment of a specialized office aimed at assisting federal agencies in implementing zero-trust security principles. 

The newly established office will provide enhanced training on zero trust principles to federal agencies, alongside endeavors to improve the identification of requisite skills and knowledge essential for successful implementation of the architecture.

In another similar joint operation, the U.S. Department of Justice (DoJ) worked in cooperation with the FBI, the U.K. National Crime Agency’s (NCA) Cyber Division, and other international law enforcement partners to disrupt the LockBit ransomware group, which is one of the most active ransomware groups in the world.

So far, the group has targeted over 2,000 victims, received more than US$ 120 million in ransom payments, and made ransom demands totaling hundreds of millions of dollars.