APT29 SVR Cloud Environment Targeting
CISA and NCSC-UK joint advisory AA24-057A detailing APT29 SVR evolved tactics for initial cloud access including OAuth abuse, MFA bypass via MFA fatigue, and residential proxy use to blend with legitimate traffic. Targeting cloud-hosted email and identity systems.
Start date
1 February 2024
End date
—
Techniques
14
Attributed actors
Techniques (14)
collection2
T1114.002Remote Email Collection
T1530Data from Cloud Storage
command-and-control2
T1071.001Web Protocols
T1090.003Multi-hop Proxy
credential-access1
T1621Multi-Factor Authentication Request Generation
discovery2
T1082System Information Discovery
T1083File and Directory Discovery
execution1
T1059.001PowerShell
initial-access3
T1078Valid Accounts
T1566.001Spearphishing Attachment
T1190Exploit Public-Facing Application
lateral-movement1
T1550.001Application Access Token
persistence1
T1078Valid Accounts
privilege-escalation1
T1078Valid Accounts
stealth3
T1078Valid Accounts
T1070.004File Deletion
T1027Obfuscated Files or Information
Indicators of compromise
No IOCs linked to this campaign yet.