Microsoft warns of rise in credential stealing attacks by Russia-linked group

Midnight Blizzard/Nobelium/Cozy Bear threat group is focusing on governments, IT service providers, defence industry, among others

Microsoft warned last week that it has detected a notable increase in credential attack activity, pointing to the notorious threat actor known as Midnight Blizzard as the orchestrator.

What distinguishes these attacks is the clever use of residential proxy services to hide the source of their malicious activities, the software company said.

The threat actor Midnight Blizzard, formerly identified as Nobelium, has been associated with Russia and is also monitored under various names such as APT29, Cozy Bear, Iron Hemlock and The Dukes.

The group gained global attention due to its involvement in the SolarWinds supply chain breach in December 2020. Since then, it has persisted in employing sophisticated tools in targeted attacks, specifically aimed at foreign ministries and diplomatic entities.

During the SolarWinds hack, the attackers compromised the company's Orion network monitoring software and inserted malicious code into legitimate software updates for the Orion software, which allowed them remote access into the victim's environment.

Microsoft, one of those victims, said later that the hackers were able to access some of its source code, although they could not make any changes to it.

Midnight Blizzard targetting governments, IT service providers, NGOs, defence and critical manufacturing

In a series of tweets last week, Microsoft's threat intelligence team highlighted recent credential attacks by Midnight Blizzard on governments, IT service providers, NGOs, the defence industry and critical manufacturing sectors.

According to Microsoft, these credential attacks employ a range of techniques, including password spraying, brute force attacks and token theft.

The threat actor has also been employing session replay attacks via residential proxy services to gain initial access to cloud resources. It is believed that the stolen sessions were likely acquired through illicit sales.

"The use of low-reputation IP addresses like those from residential proxy services helps obfuscate threat actor connections using compromised credentials. The threat actor likely used these IP addresses for very short periods, which could make scoping and remediation challenging."

Microsoft says it has taken steps to bolster its defences in response to this escalating threat.

Spear-phishing in Ukraine

The warning comes as threat intelligence company Recorded Future provided details about a spear-phishing campaign carried out by BlueDelta, also known as APT28, Forest Blizzard, FROZENLAKE, Iron Twilight and Fancy Bear.

This campaign specifically targeted government and military entities in Ukraine starting from November 2021.

In the BlueDelta campaign, spear-phishing techniques were employed, with email attachments that exploited vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) in the Roundcube email client.

These vulnerabilities allowed the execution of reconnaissance and exfiltration scripts, enabling the redirection of incoming emails and the gathering of session cookies, user information and address books.

The BlueDelta campaign demonstrated a high level of preparedness by swiftly weaponising news content to entice and exploit recipients, according to Recorded Future.

The spear-phishing emails used subject lines and content that closely resembled legitimate media sources, focusing on news themes associated with Ukraine.

A string of attacks by Russian-speaking cyber gangs

Last week, European Investment Bank (EIB) was hit with a cyberatttack, after a recent warning from Russian-speaking hackers, who threatened to launch attacks on Western financial institutions due to their support for Ukraine.

In May, Ukrainian state networks fell victim to data wiping by Russian state-sponsored hackers, who erased data after exploiting VPNs and using malware abusing the common archiving tool WinRAR.

And the Clop gang has stolen data from dozens, perhaps hundreds, of corporate and public sector entities around the world, threatening to publish data if payments are not forthcoming.