A Closer Look at the Midnight Blizzard Crew

By Jason Whitehurst (Guest Contributor)

Microsoft's security team has recently made a significant discovery regarding an increase in cyber-attacks orchestrated by the Russian state-backed group known as the Midnight Blizzard crew. This group, which also operates under the aliases Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes, has been actively targeting personal credentials, according to Microsoft's findings.

The Midnight Blizzard hackers employ residential proxy services to conceal the source IP addresses of their attacks. Their targets typically include government entities, IT service providers, non-governmental organizations (NGOs), defense industries, and critical manufacturing facilities. Microsoft shared these insights through a series of informative Twitter posts.

How Does the Attack Work?

 The threat actors behind the Midnight Blizzard crew have been utilizing IP addresses for brief periods, making it challenging to scope and remediate the attacks, as noted by Microsoft. However, the specific countries and organizations targeted by these Kremlin-supported hackers were not disclosed by Microsoft.

Microsoft explained that the crew employs various techniques such as password spray attacks, brute force attacks, and token theft methods. Additionally, they have also been engaged in session replay attacks, which involve exploiting stolen sessions obtained through illicit means to gain initial access to cloud resources.

Previous Activities of Nobelium

In October 2021, Microsoft reported that Nobelium, the alleged Russian state actor responsible for the SolarWinds Orion cyberattacks, had been targeting at least 140 resellers and technology service providers since May 2021. Out of those, 14 have been compromised by these attacks.

Microsoft has actively monitored this latest campaign since May 2021, notifying affected partners and customers while simultaneously developing technical assistance and guidance for the reseller community. The Windows-maker is committed to providing comprehensive support and protection in response to these cyber threats.

Challenges Faced by Managed Service Providers (MSPs)

Out of the approximately 200 MSPs supported by Microsoft, six have been specifically targeted using methods like password spraying, phishing, and token theft. While these attacks may be relatively easy to target once they commence, the challenge lies in the fact that many clients fail to protect themselves adequately, unlike their own clients. This situation makes it crucial for MSPs to identify and block these attacks efficiently, often necessitating the use of third-party platforms such as Checkpoint Harmony or Ironscales.  

Leveraging Octiga for Enhanced Security

To address these challenges, MSPs are suggested to leverage tools like Octiga to determine the Microsoft 365 security baseline and facilitate streamlined remediation of vulnerabilities with just a single click. This approach offers a user-friendly and efficient means of protecting organizations against cyber threats. For MSPs seeking an effective and convenient solution, Octiga has proven to be as close to an "easy button" as they have found.

Conclusion

The recent surge in cyber-attacks orchestrated by the Russian state-backed Midnight Blizzard crew has caught the attention of Microsoft's security team. By shedding light on the techniques used by these threat actors and their targets, Microsoft aims to raise awareness about the importance of robust cybersecurity measures. With the collaboration of industry professionals and the adoption of advanced security tools, we can effectively combat these malicious activities and safeguard our digital landscape. Stay vigilant, protect your personal credentials, and together, let's ensure a secure and resilient cyber environment.