Microsoft has issued a warning regarding a significant increase in credential-stealing attacks being carried out by the Russian state-affiliated hacker group, Midnight Blizzard. This group, also known under the names Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes, is known for its role in the SolarWinds supply chain compromise in December 2020. The group has been targeting governments, IT service providers, NGOs, defense, and critical manufacturing sectors.
The hackers have been using residential proxy services to hide the source IP address of the attacks. They have also been using a variety of techniques, including password spray, brute-force, and token theft, to conduct these attacks. Microsoft noted in a series of tweets that the group has also been conducting session replay attacks to gain initial access to cloud resources, likely using stolen sessions acquired through illicit sale.
The tactics used by APT29 include routing malicious traffic through residential proxy services to hide connections made using compromised credentials. Microsoft highlighted the challenge in scoping and remediation due to the short-term use of these IP addresses by the threat actor.
The spear-phishing emails used by APT28 were designed to exploit recipients, with subject lines and content mirroring legitimate media sources related to Ukraine. The group has also been linked to attacks exploiting a then-zero-day flaw in Microsoft Outlook (CVE-2023-23397) that was used in limited targeted attacks against European organizations. This vulnerability was patched in Microsoft's March 2023 updates.
These findings highlight the persistent efforts by Russian threat actors to gather valuable intelligence on various entities in Ukraine and across Europe, particularly following Russia's full-scale invasion of Ukraine in February 2022. The cyberwarfare operations targeting Ukraine have been marked by the widespread deployment of wiper malware designed to delete and destroy data, marking one of the earliest instances of large-scale hybrid conflict. Recorded Future concluded that BlueDelta will almost certainly continue to target Ukrainian government and private sector organizations to support wider Russian military efforts.