Microsoft said Thursday that Russian state-sponsored threat actors launched a cyberattack on its systems in late November 2023. They have been targeting other organizations and are now beginning to notify them.
This development comes just a day after Hewlett Packard Enterprise (HPE) revealed that it had fallen victim to an attack by a hacker group tracked as APT29also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.
“This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers in the United States and Europe,” Microsoft’s Threat Intelligence Team said in a new advisory.
The main goal of these espionage missions is to collect sensitive information of strategic interest to Russia by maintaining a foothold for an extended period of time without attracting any attention.
The latest revelations suggest the event may be larger than previously thought. However, the tech giant did not reveal which other entities were singled out.
APT29’s operations involve using legitimate but compromised accounts to gain and expand access within target environments and fly under the radar. It has also been known to identify and abuse OAuth applications for lateral movement between cloud infrastructure and for post-breach activities such as email harvesting.
“They leverage multiple initial access methods, ranging from credential theft to supply chain attacks, leveraging on-premises environments to move laterally to the cloud, and leveraging the service provider’s chain of trust to gain access to downstream customers,” Microsoft noted.
Another notable tactic is the use of compromised user accounts to create, modify and grant high privileges to OAuth applications, which they can abuse to hide malicious activity. The company notes that this allows threat actors to maintain access to the application even if they lose access to the initially compromised account.
These malicious OAuth applications were ultimately used to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts to steal data of interest.
In a November 2023 incident against Microsoft, threat actors used a password spray attack to successfully infiltrate legacy non-production test tenant accounts that did not have multi-factor authentication (MFA) enabled.
Such attacks are launched from a decentralized residential proxy infrastructure to hide their origin, allowing threat actors to interact with compromised tenants and Exchange Online through a vast network of IP addresses that are also used by legitimate users.
“Due to the high translation rate of IP addresses, Midnight Blizzard uses residential proxies to obfuscate connections, making traditional indicators of compromise (IoC)-based detection unfeasible,” Redmond said. This makes it imperative for organizations to take measures to defend themselves. Malicious OAuth applications and password spraying.
