The Communications Security Establishment (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) joined their Five Eyes cyber security partners in issuing a joint advisory detailing tactics used by Russian Foreign Intelligence Service (SVR) actors to gain initial cloud access.
CSE and its partners have observed that SVR actors are adapting their tactics to account for organizations moving to cloud-based infrastructure. Along with the continued use of password spraying and brute forcing, SVR actors are now:
- targeting system accounts
- exploiting cloud-based tokens
- attempting to enroll new cloud devices by bypassing password authentication and engaging in multi-factor authentication (MFA) bombing
- using residential proxies
In the past, SVR actors have targeted many sectors around the world including governments, think tanks, healthcare and energy for intelligence gain. More recently, they have expanded their targeting to include the aviation, education, law enforcement and military sectors, among others. SVR actors have been responsible for a range of malicious cyber activities, including the SolarWinds supply chain compromise and activity targeting COVID-19 vaccine development.
We strongly recommend that organizations review the advisory, be vigilant of the tactics described and take the appropriate measures to mitigate the threats, such as:
- system account management
- short token validity time periods
- conditional access policies
- device enrolment
Organizations should also promote and implement basic cyber security best practices, specifically strong passwords and passphrases, multi-factor authentication and system updates.
Useful resources
Consult the following publications from the Cyber Centre for advice and guidance on the topics addressed in this advisory:
- Thinking of moving to the cloud? Here’s how to do it securely
- Guidance on defence in depth for cloud-based services
- Guidance on using tokenization for cloud-based services
- A zero trust approach to security architecture
- Top 10 IT security actions: No.3 managing and controlling administrative privileges
- Cyber security hygiene best practices for your organization