Russian Hackers Conducting Widescale Credential-Stealing Attacks, Warns Microsoft

June 26, 2023

Microsoft has issued a warning regarding a significant increase in credential-stealing attacks being carried out by the Russian state-affiliated hacker group, Midnight Blizzard. This group, also known under the names Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes, is known for its role in the SolarWinds supply chain compromise in December 2020. The group has been targeting governments, IT service providers, NGOs, defense, and critical manufacturing sectors.

The hackers have been using residential proxy services to hide the source IP address of the attacks. They have also been using a variety of techniques, including password spray, brute-force, and token theft, to conduct these attacks. Microsoft noted in a series of tweets that the group has also been conducting session replay attacks to gain initial access to cloud resources, likely using stolen sessions acquired through illicit sale.

The tactics used by APT29 include routing malicious traffic through residential proxy services to hide connections made using compromised credentials. Microsoft highlighted the challenge in scoping and remediation due to the short-term use of these IP addresses by the threat actor.

In related news, Recorded Future detailed a spear-phishing campaign conducted by another Russian hacker group, APT28, also known as BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear. This group has been targeting government and military entities in Ukraine since November 2021. The attacks involved emails with attachments exploiting multiple vulnerabilities in the open-source Roundcube webmail software (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to gather data and conduct reconnaissance. Successful breaches allowed the hackers to deploy rogue JavaScript malware that redirected incoming emails of targeted individuals to an email address under the attackers' control and steal their contact lists.

The spear-phishing emails used by APT28 were designed to exploit recipients, with subject lines and content mirroring legitimate media sources related to Ukraine. The group has also been linked to attacks exploiting a then-zero-day flaw in Microsoft Outlook (CVE-2023-23397) that was used in limited targeted attacks against European organizations. This vulnerability was patched in Microsoft's March 2023 updates.

These findings highlight the persistent efforts by Russian threat actors to gather valuable intelligence on various entities in Ukraine and across Europe, particularly following Russia's full-scale invasion of Ukraine in February 2022. The cyberwarfare operations targeting Ukraine have been marked by the widespread deployment of wiper malware designed to delete and destroy data, marking one of the earliest instances of large-scale hybrid conflict. Recorded Future concluded that BlueDelta will almost certainly continue to target Ukrainian government and private sector organizations to support wider Russian military efforts.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.