APT29 in the cloud: A deeper dive

Table of Contents

Table of Contents

Welcome to the second installment of our series, in which we highlight notable cyber attacks featured in the CSA’s report, “Top Threats to Cloud Computing.”

In this article, we turn our focus to APT29—a sophisticated threat actor behind the breaches at the Portuguese and Brazilian Embassies. Our goal is to present this information in a clear, reader-friendly format, enriched with detailed examples. We also aim to provide actionable detection strategies for these kinds of cyber threats.

Understanding APT29: A new era of cyber espionage

APT29, also known as Nobelium or Midnight Blizzard, is a prominent cyber espionage group that has made multiple headlines over the past several years. This group has executed sophisticated cyber attacks targeting an array of entities — from governmental bodies such as the Portuguese and Brazilian Embassies, to corporate giants like Microsoft.

In a joint advisory, the Five Eyes agencies cautioned that APT29 is adapting to modern IT environments, particularly the widespread adoption of cloud-based infrastructure. Shifting from traditional exploitation of on-premises network vulnerabilities, APT29 now specifically targets cloud services. Notably, the group has been actively targeting Azure and Microsoft 365 environments.

In the following analysis, we will thoroughly examine the documented attacks by APT29 on Microsoft’s cloud infrastructure and discuss the strategies for detection that can be developed based on these incidents. This exploration aims to provide insights into the operational methods of APT29 and offer guidance on enhancing cybersecurity preparedness against such sophisticated threats.

APT29’s methodology in cloud-based attacks

The attacker executed a password guessing attack (1) against Microsoft’s own internal cloud tenant, which hosts the Microsoft 365 services. These attackers were observed using residential proxies (2) to conceal their origin IP addresses.

By sheer luck, the attacker successfully discovered a test account (3) that was not protected with MFA.

After successfully logging in, the attacker found a legacy OAuth Application (4) accessible by the breached account, which held a high level of privileges. This OAuth Application is also known as an ‘Enterprise App’ in Azure AD. It was likely discovered through the enumeration of all Azure Applications to identify accessible services and resources with the breached account.

The attacker proceeded to create a new Azure AD account (5) and a new malicious OAuth Application (6) through the legacy OAuth Application with high privileges (4).

Subsequently, the attacker disabled auditing for ‘Purview’ (7) and used the new malicious OAuth Application to read the emails of all users in that tenant. Due toPurview being disabled, there was no audit trail of the OAuth Application reading the email.

Mapping APT29’s Techniques: A Focus on MITRE’s TTPs

By aligning APT29’s actions with the MITRE ATT&CK framework, we can categorize and understand their tactics, techniques, and procedures (TTPs) more effectively. This alignment helps in developing targeted defenses against their known strategies.

Detection strategies: Identifying and mitigating threats

There are multiple opportunities to notice if something is amiss. Let’s go through the steps in the timeline and find out how we can detect these problems.

In the first part of the attack, we can find signs of a password guessing attack by checking the Azure AD or Audit management log. We can look for successful logins that come after failed ones (A). 

In the same login actitivties, we can also find suspicious logins from places that aren’t normal for the organization or account, such as logins from a VPN IP range (B) that the attacker used in the second part of the attack.

In the fifth part of the attack, the attacker created a new account in Azure AD. We can detect this by keeping an eye on the Audit management log for such privileged action (C).

In the sixth part of the attack, the attacker made a new privileged application in Azure AD. Similarly, we can detect this by looking through the Audit management log for such privileged actions (D).

In the last stage of the attack, the attacker disabled the Purview auditing.

The following table outlines the threats demonstrated by the threat actor and the corresponding detection strategies.

ThreatsDetection strategiesStage in illustration
Password guessing attackSuccessful login with multiple failed attemptsA
Suspicious login from residential proxyLogin from one country to another within short span of timeLogin from unusual countryB
Creation of global administrator accountSuspicious account creationPrivileged role(s) assignedC
Creation of malicious enterprise applicationSuspicious enterprise applications createdD
Disabling of Purview audit logsAudit logging disabledE

Staying ahead of cyber threats

Innovative solutions by InsiderSecurity

Looking for ways to stay ahead of any cyber threats? InsiderSecurity provides advanced cybersecurity behavior analytics products that help your company to uncover cyber threats before there is any serious data loss. We offer a range of solutions, including Automated UEBA for securing on-premise and cloud IT infrastructure, as well as the CSX for ensuring cloud data security.

CSX is designed to detect sophisticated attacks described in this article making it an essential subscription for any organization serious about its cybersecurity posture. Beyond detecting threats, CSX offers recommendations and a user-friendly avenue for executing remedial actions and implementing mitigation strategies.

CSX provides an easy way to perform mitigation and remediation.
CSX provides an easy way to perform mitigation and remediation.