In a recent revelation, Microsoft has reported a significant rise in credential-stealing attacks carried out by Midnight Blizzard, a Russian state-affiliated hacker group. The threat intelligence team of the tech giant has identified that these intrusions target a wide range of sectors, including governments, IT service providers, NGOs, defense, and critical manufacturing sectors.

The hacker group, also known as Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes, has reportedly been using residential proxy services to mask the source IP address of the attacks. This group gained global attention due to its role in the SolarWinds supply chain compromise back in December 2020. Despite exposure, Midnight Blizzard has continued its operations, relying on unseen tooling for targeted attacks against foreign ministries and diplomatic entities.

Persistent Threat Techniques

Microsoft revealed that the group has been using a variety of techniques for its credential attacks, including password spraying, brute force, and token theft. It has also performed session replay attacks to gain initial access to cloud resources. These stolen sessions are believed to have been acquired through illicit sales.

APT29’s use of residential proxy services has been particularly noted. This is a strategy used to route malicious traffic and hide the connections made using compromised credentials. As Microsoft points out, the threat actor is likely to use these IP addresses for brief periods, making scoping and remediation quite challenging.

APT28’s Spear-Phishing Campaign

Alongside this, cybersecurity firm Recorded Future has detailed a new spear-phishing campaign by APT28 (also known as BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear), targeting Ukrainian government and military entities since November 2021.

These attacks have exploited multiple vulnerabilities in the open-source Roundcube webmail software, allowing the Russian military intelligence hackers to deploy rogue JavaScript malware. This malware redirects incoming emails of the targets to an email address under the attacker’s control and steals their contact lists.

“The campaign displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients,” Recorded Future stated.

Exploitation of Zero-Day Flaw

In addition, these spear-phishing attacks align with another set of attacks exploiting a zero-day flaw in Microsoft Outlook (CVE-2023-23397). Microsoft disclosed this was used in “limited targeted attacks” by Russia-based threat actors against European organizations. This privilege escalation vulnerability was addressed in the Patch Tuesday updates rolled out in March 2023.

These incidents underscore Russian threat actors’ persistent efforts to harvest valuable intelligence from various entities in Ukraine and across Europe, especially after the full-scale invasion of Ukraine in February 2022. The cyberwarfare operations targeting Ukraine have been marked by the widespread deployment of wiper malware, intending to delete and destroy data. This has resulted in one of the earliest instances of large-scale hybrid conflict.

Recorded Future concluded its report by stating, “BlueDelta will almost certainly continue to prioritize targeting Ukrainian government and private sector organizations to support wider Russian military efforts.” The cybersecurity landscape continues to evolve rapidly, with state-affiliated groups demonstrating a high level of sophistication and persistence in their attacks.