On January 25th, 2024, Microsoft disclosed that the APT29 threat group, Russian state-sponsored hackers, were implicated in the November 2023 cyber attack on its systems. Microsoft also indicated that it had identified other organizations the group had been attacking, which Microsoft was proactively notifying.
This acknowledgment follows a statement from Hewlett Packard Enterprise (HPE) confirming that their systems were compromised by the same APT29 threat actors who targeted Microsoft.
Stay One Step Ahead of Cyber Threats
APT29 is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. APT stands for Advanced Persistent Threat, which is a name given to highly sophisticated cybersecurity threat groups.
- Microsoft announced that Russian state-sponsored hackers, responsible for a cyber attack in November 2023, have been actively targeting various organizations.
- The revelation by Microsoft followed Hewlett Packard Enterprise’s (HPE) confirmation of a breach by APT29 threat actors, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard, Nobelium, and The Dukes.
- Microsoft’s Threat Intelligence team reported that APT29 primarily targets government agencies, diplomatic entities, NGOs, and IT service providers in the U.S. and Europe.
- The group focuses on long-term infiltration to collect strategically significant information for Russia, often remaining undetected.
- APT29 uses various initial access methods, including stolen credentials, supply chain attacks, and exploiting service providers’ trust chains.
U.S. and UK governments recognize Midnight Blizzard (aka APT29) as Russia’s Foreign Intelligence Service (SVR), which primarily targets governments, NGOs, diplomatic entities, and IT service providers in the US and Europe.
As discussed in the MSRC blog, Microsoft acknowledges the challenges posed by well-funded, nation-state threat actors. This incident stresses the need for a strategic shift in balancing security and business risks.
The traditional approach to mitigate cyber threats is becoming insufficient, and Microsoft is accelerating its efforts to enhance security measures. If the same scenario were to occur today, Microsoft policies would enforce Multi-Factor Authentication (MFA) and other active protections, ensuring stronger defense against similar attacks.
Microsoft identified these attacks using Exchange Web Services (EWS) log data and their extensive understanding of Midnight Blizzard’s tactics, techniques, and procedures. They provide insights into Midnight Blizzard’s techniques in their blog, offering practical advice for protection, detection, and response to similar threats.
Further investigation by Microsoft Threat Intelligence revealed Midnight Blizzard’s targeting of other organizations. Microsoft has initiated its standard notification process to alert these organizations.
The investigation is ongoing, and Microsoft will continue to update us as necessary.
Observed Activities and Techniques of Midnight Blizzard
- Password Sprays: They used password spray attacks to compromise a non-production legacy tenant account lacking MFA. These attacks were tailored and low-profile to evade detection.
- Malicious OAuth Applications: Midnight Blizzard compromised accounts to create and manipulate OAuth applications, granting themselves high permissions and maintaining access even after losing their initial account.
- Exchange Web Services Exploitation: These compromised OAuth applications were used to access Microsoft Exchange Online and target corporate email accounts.
- Residential Proxy Infrastructure: To obscure their attack’s origin, they utilized residential proxy networks, blending their traffic with legitimate users and complicating traditional IoC-based detection due to the rapid IP address turnover.
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional