SVR Cyber Actors Adapt Tactics for Initial Cloud Access

**Executive summary:** This advisory from the NCSC and international partners describes how SVR‑attributed APT29 (aka Midnight Blizzard/Cozy Bear) has adapted to cloud infrastructures, detailing observed initial access TTPs such as credential brute forcing and password spraying, stealing application access tokens, MFA request flooding, enrolling attacker devices, and using residential proxies, and provides prioritized mitigations (MFA, short session lifetimes, device enrollment policies, account hygiene, and logging) to reduce risk.