Credential Theft Attacks Surge: Microsoft Raises Red Flag on Midnight Blizzard (APT29)

Microsoft has identified Midnight Blizzard, a Russian state-affiliated hacking group also known as APT29, as the source behind a recent surge in credential theft.

The widespread operations carried out by Midnight Blizzard involve the use of residential proxy services to hide the origin IP address. A residential proxy is an intermediary server that routes internet traffic through residential IP addresses, making it appear as if the connection is coming from a regular home or residential network.

The impact of these attacks is far-reaching, with governments, IT service providers, non-governmental organizations (NGOs), as well as defense and critical manufacturing industries being targeted.

Who Is Midnight Blizzard (APT29)? 

Midnight Blizzard, previously known as Nobelium and tracked as APT29, is also known by aliases including Cozy Bear, Iron Hemlock, and The Dukes. The APT group gained international attention for the SolarWinds supply chain compromise in December 2020.

In spite of being revealed to public through the SolarWinds incident, the group maintains its dedication and continues to conduct targeted attacks on foreign ministries and diplomatic entities.

For more information, read the APT profile for Midnight Blizzard on SOCRadar blog.

Microsoft Discloses the Tactics of Midnight Blizzard (APT29)

According to Microsoft, Midnight Blizzard employs a range of techniques in these attacks, including password spraying, brute force, token theft, and session replay, to gain unauthorized access to cloud resources. Furthermore, APT29 has been using residential proxy services to conceal malicious traffic and obscure the connections they establish via stolen credentials.

The attacks exploited vulnerabilities in Roundcube webmail software (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) through email attachments, allowing Russian military intelligence hackers to conduct reconnaissance and gather data. 

A successful breach allowed hackers to deploy rogue JavaScript malware, redirecting targeted individuals’ incoming emails to an email address controlled by the attackers and stealing their contact lists. 

The campaign demonstrated preparedness by using news-themed spear-phishing emails related to Ukraine. 

Additionally, these attacks coincide with the exploitation of a zero-day flaw in Microsoft Outlook (CVE-2023-23397) by Russia-based threat actors in limited targeted attacks against European organizations. The vulnerability was addressed through Patch Tuesday updates in March 2023. 

The findings highlight ongoing efforts by Russian threat actors to harvest intelligence in Ukraine and Europe, particularly after the country’s invasion. 

Cyberwarfare operations in Ukraine involve the widespread use of data-deleting wiper malware, representing early large-scale hybrid conflict. 

Researchers concluded that the group BlueDelta will likely continue prioritizing Ukrainian government and private sector targets to support wider Russian military efforts.

Enhancing Cybersecurity: Tracking Threat Actors with SOCRadar

Adversaries and Advanced Persistent Threat (APT) groups employ diverse strategies and tools to accomplish their goals. It is important to understand and keep track of these adversaries in a flexible way to learn about their current methods, as it offers valuable insights into their current tactics, techniques, and procedures (TTPs). 

SOCRadar utilizes automated data collection, classification, and AI-driven analysis from numerous sources spanning the surface, deep, and dark web. 

By leveraging this technology, SOCRadar Threat Actor Tracking module provides real-time alerts regarding APT group activities, enabling organizations to establish effective use cases for identifying and preventing malicious actions.