SVR Cyber Actors Adapt Tactics for Initial Cloud Access

The SVR, a sophisticated cyber espionage group, has adapted its tactics to target cloud infrastructure, using brute force, password spraying, and exploiting system and dormant accounts. They also use stolen access tokens to bypass passwords and multi-factor authentication through "MFA bombing." To defend against these activities, organizations should implement multi-factor authentication, disable inactive accounts, and enforce least privilege access for system and service accounts. They should also configure device enrollment policies, monitor application and host-based logs, and use zero-touch enrollment where possible. The NCSC and international partners have observed these tactics in the last 12 months, and the guidance in this advisory aims to help network defenders mitigate against the SVR's initial access vectors.