NSA, Partners Issue CSA on Russian Hacking Operations Against Cloud Environments

The National Security Agency, in partnership with the UK National Cyber Security Centre and other organizations, has issued a cybersecurity advisory about Russian actors targeting cloud-hosted infrastructure to gain access to data.

According to the “SVR Cyber Actors Adapt Tactics for Initial Cloud Access” CSA, the Russian hacking group APT29 uses automated system accounts and inactive accounts to gain initial access to cloud infrastructure. They use password spraying, brute-force infiltration, and other common techniques and procedures to access cloud environments, steal critical information and maintain access using their own devices.

The CSA also includes indicators of compromise and recommendations to prevent or mitigate threats. The NSA said recommendations include system account management, multifactor authentication and system updates.

The advisory is one of several warnings the NSA and its partners have issued in recent months about Russia’s cyber operations.

In December, the NSA and its partners warned organizations that the Russian Foreign Intelligence Service is using a vulnerability in servers hosting JetBrains TeamCity software to gain initial server access and deploy backdoor access to engage in malicious activities. In September, cybersecurity agencies from the United States and its allies released a joint advisory about Sandworm, Russian military hackers that deployed the Chisel malware to steal credentials from Ukrainian military personnel’s Android devices.