Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives’ email accounts in November 2023, also breached other organizations as part of this malicious campaign.
Midnight Blizzard (aka Nobelium, or APT29) is believed to be a state-backed cyberespionage group tied to the Russian Foreign Intelligence Service (SVR), primarily targeting government organizations, NGOs, software developers, and IT service providers in the U.S. and Europe.
On January 12, 2024, Microsoft discovered that the Russian hackers breached its systems in November 2023 and stole email from their leadership, cybersecurity, and legal teams. Some of these emails contained information about the hacking group itself, allowing the threat actors to learn what Microsoft knew about them.
Microsoft now explains that the threat actors used residential proxies and “password spraying” brute-force attacks to target a small number of accounts, with one of these accounts being a “legacy, non-production test tenant account.”
“In this observed Midnight Blizzard activity, the actor tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures,” explains an update from Microsoft.
When Microsoft first disclosed the breach, many wondered whether MFA was enabled on this test account and how a test legacy account would have enough privileges to spread laterally to other accounts in the organization.
Microsoft has now confirmed that MFA was not enabled for that account, allowing the threat actors to access Microsoft’s systems once they brute-forced the correct password.
Microsoft also explains that this test account had access to an OAuth application with elevated access to Microsoft’s corporate environment. This elevated access allowed the threat actors to create additional OAuth applications to gain access to other corporate mailboxes, as explained below.
Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications.
They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes. – Microsoft.
The company identified the malicious activity by retrieving traces in Exchange Web Services (EWS) logs, combined with known tactics and procedures used by Russian state-sponsored hacking groups.
Based on these findings, Microsoft was able to discern similar attacks carried out by Midnight Blizzard, which targeted other organizations.
“Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations,” warns Microsoft in the new update.
Earlier this week, Hewlett Packard Enterprise (HPE) disclosed that Midnight Blizzard had gained unauthorized access to its Microsoft Office 365 email environment and exfiltrated data since May 2023.
When BleepingComputer asked HPE who disclosed the breach to them, they told us that they were not sharing this information. However, the overlap raises suspicions, increasing the possibility of HPE being one of the companies Microsoft has confirmed as impacted.
In September 2023, it was also revealed that the Chinese Storm-0558 hacking group stole 60,000 emails from U.S. State Department accounts after breaching Microsoft’s cloud-based Exchange email servers earlier that year.
Defending against Midnight Blizzard
Microsoft has provided extensive detection and hunting methods in its latest post to aid defenders in identifying attacks by APT29 and blocking their malicious activity.
The tech giant advises focusing on identity, XDR, and SIEM alerts. The following scenarios are particularly suspicious for Midnight Blizzard activity:
- Elevated activity in email-accessing cloud apps, suggesting potential data retrieval.
- Spike in API calls post-credential update in non-Microsoft OAuth apps, hinting at unauthorized access.
- Increased Exchange Web Services API usage in non-Microsoft OAuth apps, potentially indicating data exfiltration.
- Non-Microsoft OAuth apps with known risky metadata, possibly involved in data breaches.
- OAuth apps created by users from high-risk sessions, suggesting compromised account exploitation.
Finally, Microsoft advises using targeted hunting queries (provided) in Microsoft Defender XDR and Microsoft Sentinel to identify and investigate suspicious activities.