Loading...

Cloud services are prime targets for nation-state actors

Cloud services are prime targets for nation-state actors
Loading...

In a blog post dated March 8, Microsoft issued an update regarding the cyberattack and data breach initially disclosed on January 19th. The company revealed that it had been targeted by a cyberattack orchestrated by the Russian-backed group named Midnight Blizzard. This group, previously linked to the SolarWinds breach, gained access to undisclosed source code and sensitive customer information transmitted via email exchanges with senior executives.

Beginning in November 2023, the breach exploited a vulnerability within Microsoft's security infrastructure. Using password spray attacks, the perpetrators focused on an internal service account devoid of multi-factor authentication, thereby gaining unauthorised access to the company's repositories of sensitive data, emails, and other servers.

This attack is a stark reminder of the tactics employed by both nation-state actors and cybercriminals to sustain a continual foothold within their target’s networks to achieve their nefarious objectives. Moreover, they underscore the recurrent success of attackers when organisations neglect to adhere to fundamental cyber hygiene consistently and uniformly across the entire environment and attack surface.

Loading...

Upon closer inspection, the methods employed by nation-state actors to infiltrate target organisations aren’t necessarily novel and new; rather, they persistently rely on proven attack methods that demonstrate their effectiveness. Exploiting unpatched vulnerabilities, code flaws, misconfigurations, and even human error within organisations are all part of their modus operandi. However, as technology advances, so do the number of vulnerabilities across an ever-increasing amount of assets, applications, identities and other potential targets. 

Consequently, attackers adapt their strategies to incorporate exploits against these new attack options, even if the fundamental method of the attack isn’t necessarily new. The shift towards cloud computing has also provided attackers with new opportunities to exploit these vulnerabilities at scale and gain unauthorised access to sensitive data and systems in areas of the environments which are often overlooked. 

One significant complication in dealing with cyberattacks is the increasing reliance on automation and APIs within organisations. With automation’s rising prominence, there’s a corresponding increase in non-human service accounts, often endowed with elevated privileges However, these accounts are typically monitored less rigorously than regular user accounts.  In Microsoft’s breach, the compromised credential was a service account and was found to lack adherence to their basic hygiene policy requirements, specifically the use of multi-factor authentication to secure these kinds of accounts. Consequently, nation-state actors are increasingly targeting these non-human credentials, recognising their potential for elevated privileges that would allow them unauthorised access to critical systems and data once those credentials are compromised. These are key areas where organisations must implement more stringent, consistently applied access controls and perform regular assessments of these accounts' entitlements to mitigate and reduce the risk of a compromise.

Loading...

Similarly, the shift towards cloud computing has not gone unnoticed by adversaries. Cloud services have become prime targets, serving as gateways to an organisation's infrastructure, applications and databases. Just as attackers once targeted on-premises servers, they now pivot towards cloud platforms, recognising their central role in modern IT ecosystems and the sheer scale of targets and attack vectors modern cloud environments provide.

While organisations must maintain fundamental cybersecurity practices such as patch management and network access control, understanding the prominence of credential-based attacks is crucial. For many years within the cybersecurity industry, we’ve said “identity is the new perimeter” to recognise the importance of protecting credentials of all types due to how they provide access through other security controls and mitigation measures. By prioritising the protection of credentials and adopting robust security measures, organisations can better bolster their defences against nation-state threats.

Nation-state cyberattacks will continue to persist as a substantial menace to organisations worldwide. As technology evolves, so too does the scope, scale and complexity of the environments we must protect become. This, in turn, allows malicious actors to leverage more tactics against more targets and increase their chance of success in compromising critical infrastructure, data sets and services.  By recognising the evolving nature of these threats and implementing proactive security measures, organisations can mitigate the risk of compromise and better safeguard their critical assets before a breach occurs.

Loading...
Nathan Wenzler

Nathan Wenzler


Nathan Wenzler is the Chief Security Strategist at Tenable.


Sign up for Newsletter

Select your Newsletter frequency