ROADtools Cloud Identity Attacks: Nation-State Tradecraft in Entra ID

Unit 42 published research documenting that at least four nation-state actor clusters, including Cloaked Ursa (APT29, Russia), Curious Serpens (APT33, Iran), UTA0355 (Russia), and Void Blizzard (Laundry Bear, Russia), have operationalized ROADtools, an open-source Python framework originally built for Entra ID research, as a core component of their cloud intrusion tradecraft. These actors target the identity plane directly rather than exploiting application-layer vulnerabilities, and their reliance on legitimate Microsoft authentication endpoints and Graph API calls makes activity difficult to distinguish from authorized administrative operations without dedicated identity telemetry. The framework has two primary components: roadrecon for tenant enumeration and roadtx for token and device manipulation, both of which are Python-based and emit identifiable user-agent strings.

Initial access varies by actor: Curious Serpens uses password spray campaigns against Entra ID sign-in endpoints to harvest credentials at scale, while other actors use the device code phishing flow, in which the attacker generates a device code and sends it to the victim, who authenticates on the legitimate Microsoft portal and unknowingly hands the attacker a Primary Refresh Token. The roadtx component automates token acquisition across multiple OAuth 2.0 flows and can register rogue devices in Entra ID using predictable default fingerprints, including a specific Windows OS version string and device names matching a consistent pattern, which in misconfigured tenants allows bypass of MFA and conditional access policies. Once a device-bound token is obtained, the attacker can refresh access repeatedly without triggering interactive login requirements, sustaining tenant presence through password resets and session revocation events.

The roadrecon component systematically enumerates tenant resources through Microsoft Graph API endpoints, cataloguing users, groups, roles, devices, service principals, and application permissions into a local SQLite database with a graphical interface for analysis. This inventory reveals privilege escalation paths, misconfigured application permissions, and service principals holding broad scopes such as Directory.ReadWrite.All and RoleManagement.ReadWrite.Directory. Attackers then exploit this intelligence by adding credentials to high-value service principals, granting new high-risk application role assignments, and assigning directory roles outside of PIM workflows, establishing persistent backdoors tied to application identities that survive conventional incident response procedures targeting only compromised user accounts.