The rise of Midnight Blizzard's cyber attacks: Microsoft alerts

Microsoft has revealed a dramatic increase in credential-stealing attacks perpetrated by the state-affiliated Russian hacker group known as the Midnight Blizzard. These attacks use residential proxy services to mask the source IP address, targeting governments, IT service providers, NGOs, defense sectors and critical manufacturing, according to the tech giant's threat intelligence team. Midnight Blizzard, formerly known as Nobelium, is also monitored under several other names, including APT29, Cozy Bear, Iron Hemlock and The Dukes.

Sophisticated attack tactics

The Midnight Blizzard, known for the SolarWinds supply chain compromise in December 2020, has continued to rely on unprecedented tools in its targeted attacks on foreign ministries and diplomatic entities. This demonstrates the group's determination to keep its operations going despite being exposed, making it a particularly formidable player in the area of espionage. Microsoft stated that “these credential attacks use a variety of password spray, brute force, and token theft techniques,” adding that the actor “also conducted session replay attacks to gain initial access to cloud resources by leveraging stolen sessions likely acquired through illicit sale."

Hide your identity

Microsoft also highlighted how APT29 uses residential proxy services to route malicious traffic, trying to obfuscate connections made using compromised credentials. "The threat actor likely used these IP addresses for short periods, making it difficult to locate and fix the problem," said the Windows maker. Simultaneously, Recorded Future detailed a new spear-phishing campaign organized by APT28 (aka BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight and Fancy Bear), which has been targeting government and military entities in Ukraine since November 2021.

Continuous cyber attacks

The attacks exploited email attachments that exploited multiple vulnerabilities in the open-source web email software Roundcube to perform reconnaissance and data collection. A successful intrusion allowed Russian military intelligence hackers to distribute malicious JavaScript malware that redirected incoming emails of targeted individuals to an email address under the attackers' control, while simultaneously stealing their contact lists. This activity aligns with another set of attacks exploiting a then-unknown vulnerability in Microsoft Outlook (CVE-2023-23397), which Microsoft reported as being used by Russia-based threat actors in "limited targeted attacks" against European organizations.