Microsoft on the Tactics Used by the Midnight Blizzard

In a recent revelation, Microsoft has disclosed the sophisticated tactics employed by the Russian Foreign Intelligence Service-associated hacking group, Midnight Blizzard (also known as Nobelium or APT29). The cyberespionage campaign, initially discovered in November 2023 when the group breached Microsoft executives’ email accounts, has now been traced to a broader set of infiltrations across various organizations.

Russian Ties and Targets

Midnight Blizzard, believed to be a state-backed group linked to the Russian Foreign Intelligence Service (SVR), primarily targets government entities, NGOs, software developers, and IT service providers in the U.S. and Europe.

Microsoft’s Confirmation

On January 12, 2024, Microsoft confirmed that the Russian hackers not only breached its systems but also pilfered emails from key departments such as leadership, cybersecurity, and legal teams. The stolen emails contained sensitive information about the hacking group itself, enabling the threat actors to gauge Microsoft’s awareness of their activities.

Breaching Microsoft’s Defenses

Microsoft detailed that the threat actors utilized residential proxies and “password spraying” brute-force attacks. Notably, a “legacy, non-production test tenant account” lacking multi-factor authentication (MFA) became the gateway for the intrusion.

Microsoft OAuth Applications and Elevated Access

The compromised test account had access to an OAuth application with elevated privileges within Microsoft’s corporate environment. Exploiting this, Midnight Blizzard created additional malicious OAuth applications, eventually gaining access to other corporate mailboxes. The attackers also manipulated OAuth permissions, ultimately obtaining the Office 365 Exchange Online full_access_as_app role.

Microsoft Identifying Malicious Activity

Microsoft traced the breach through Exchange Web Services (EWS) logs, applying insights from known Russian state-sponsored hacking group tactics. This approach allowed Microsoft to identify similar attacks by Midnight Blizzard on other organizations.

Wide Impact

Hewlett Packard Enterprise (HPE) recently disclosed unauthorized access by Midnight Blizzard to its Microsoft Office 365 email environment, underscoring the broader implications of the cyberespionage campaign. Earlier, the Chinese Storm-0558 hacking group had similarly breached Microsoft’s Exchange servers, stealing 60,000 emails from U.S. State Department accounts.

Microsoft on Defending Against Midnight Blizzard

Microsoft has shared comprehensive detection and hunting methods for defenders. Focusing on identity, XDR, and SIEM alerts is crucial. Suspicious scenarios include elevated activity in cloud app access, spikes in API calls post-credential updates, and increased Exchange Web Services API usage in non-Microsoft OAuth apps. Microsoft recommends utilizing targeted hunting queries in Microsoft Defender XDR and Microsoft Sentinel for identifying and investigating potential Midnight Blizzard activities.

As organizations face an escalating cyber threat landscape, understanding and countering the tactics of sophisticated threat actors like Midnight Blizzard becomes paramount for safeguarding sensitive information and maintaining the integrity of digital ecosystems.

---

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.