Nation-state actors have their sights on the cloud

On 8 March, Microsoft provided an update in a blog post regarding the cyber attack and data breach that the company had originally announced on 19 January regarding how the company had fallen victim to an attack orchestrated by the Russian-backed group known as Midnight Blizzard. This group, notorious for its involvement in the SolarWinds breach, accessed undisclosed source code and sensitive customer information exchanged via email with top executives.

The breach, which commenced in November 2023, exploited a vulnerability in Microsoft’s security infrastructure. Utilising password spray attacks, the attackers targeted an internal service account lacking multi-factor authentication, allowing them to gain illicit entry into the company’s sensitive data repositories, emails and other servers.

These revelations serve as a stark reminder of the tactics employed by both nation-state actors and cybercriminals to sustain a continual foothold within their target’s networks to achieve their nefarious objectives. Moreover, they underscore the recurrent success of attackers when organisations neglect to adhere to fundamental cyber hygiene consistently and uniformly across the entire environment and attack surface.

Upon closer inspection, the methods employed by nation-state actors to infiltrate target organisations aren’t necessarily novel and new; rather, they persistently rely on proven attack methods that demonstrate their effectiveness. Exploiting unpatched vulnerabilities, code flaws, misconfigurations and even human error within organisations are all part of their modus operandi. However, as technology advances, so do the number of vulnerabilities across an ever-increasing amount of assets, applications, identities and other potential targets.

Consequently, attackers adapt their strategies to incorporate exploits against these new attack options, even if the fundamental method of the attack isn’t necessarily new. The shift towards cloud computing has also provided attackers with new opportunities to exploit these vulnerabilities at scale and gain unauthorised access to sensitive data and systems in areas of the environments which are often overlooked.

One significant complication in dealing with cyber attacks is the increasing reliance on automation and APIs within organisations. With automation’s rising prominence, there’s a corresponding increase in non-human service accounts, often endowed with elevated privileges However, these accounts are typically monitored less rigorously than regular user accounts. In Microsoft’s breach, the compromised credential was a service account and was found to lack adherence to their basic hygiene policy requirements, specifically the use of multi-factor authentication to secure these kinds of accounts. Consequently, nation-state actors are increasingly targeting these non-human credentials, recognising their potential for elevated privileges that would allow them unauthorised access to critical systems and data once those credentials are compromised. These are key areas where organisations must implement more stringent, consistently applied access controls and perform regular assessments of these accounts’ entitlements to mitigate and reduce the risk of a compromise.

Similarly, the shift towards cloud computing has not gone unnoticed by adversaries. Cloud services have become prime targets, serving as gateways to an organisation’s infrastructure, applications and databases. Just as attackers once targeted on-premises servers, they now pivot towards cloud platforms, recognising their central role in modern IT ecosystems and the sheer scale of targets and attack vectors modern cloud environments provide.

While organisations must maintain fundamental cybersecurity practices such as patch management and network access control, understanding the prominence of credential-based attacks is crucial. For many years within the cybersecurity industry, we’ve said “identity is the new perimeter” to recognise the importance of protecting credentials of all types due to how they provide access through other security controls and mitigation measures. By prioritising the protection of credentials and adopting robust security measures, organisations can better bolster their defences against nation-state threats.

Nation-state cyber attacks will continue to persist as a substantial menace to organisations worldwide. As technology evolves, so too does the scope, scale and complexity of the environments we must protect. This, in turn, allows malicious actors to leverage more tactics against more targets and increase their chance of success in compromising critical infrastructure, datasets and services. By recognising the evolving nature of these threats and implementing proactive security measures, organisations can mitigate the risk of compromise and better safeguard their critical assets before a breach occurs.

*As the Chief Security Strategist for Tenable, Nathan brings his expertise in vulnerability management and cyber exposure to executives and security professionals around the globe in order to help them mature their security strategy, understand their cyber risk and measurably improve their overall security posture. Nathan has over two decades of experience designing, implementing and managing technical and non-technical security solutions for IT and information security organisations within both the public and private sectors.

Top image credit: iStock.com/MF3d