Microsoft has announced an increase in credential-stealing attacks conducted by Midnight Blizzard, a Russian state-affiliated hacker group.
The group has been utilizing residential proxy services to conceal the origin of the attacks, focusing on governments, IT service providers, NGOs, defense sectors, and critical manufacturing industries.
Midnight Blizzard, also known as APT29, Cozy Bear, Iron Hemlock, and The Dukes, gained international attention due to their involvement in the SolarWinds supply chain compromise in December 2020.
Despite being exposed, the group has continued employing sophisticated techniques and tools in their targeted attacks against foreign ministries and diplomatic entities, showcasing their resilience in espionage.
Microsoft highlighted that these credential attacks employ various methods, such as password spraying, brute-force attacks, and token theft. Additionally, the group has utilized session replay attacks to gain initial access to cloud resources by leveraging stolen sessions obtained through illicit means.
To obscure their connections made using compromised credentials, APT29 has relied on residential proxy services, making it challenging to identify and mitigate the attacks due to the short periods during which they utilize specific IP addresses.
In a separate report, Recorded Future exposed APT28 (also known as BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear), a new spear-phishing campaign targeting government and military entities in Ukraine since November 2021.
The campaign exploited vulnerabilities in the open-source Roundcube webmail software for surveillance and gathering data. The attackers successfully redirected incoming emails to an email address under their control and exfiltrated contact lists.
Further details revealed the spear-phishing emails utilized news-related themes specific to Ukraine to increase their effectiveness and mimicked legitimate media sources.
These recent activities align with another series of attacks exploiting a then-zero-day vulnerability in Microsoft Outlook (CVE-2023-23397), which Microsoft disclosed in March 2023.
The attacks primarily targeted European organizations and involved privilege escalation techniques. The persistent efforts of Russian threat actors in gathering intelligence on entities in Ukraine and Europe indicate their focus following the country’s invasion in February 2022.
The cyber warfare operations against Ukrainian targets involved the deployment of wiper malware, highlighting one of the earliest instances of large-scale hybrid conflict.
Recorded Future concluded that BlueDelta would likely continue prioritizing Ukrainian government and private sector organizations to support broader Russian military objectives.