Breach, Content

Microsoft Warns of Russia-backed Credentials Stealing Campaign

Global network connection. World map point and line composition concept of global business. Vector Illustration

Microsoft’s security team recently said that it had found evidence of a jump in cyber attacks orchestrated by the Russian state-backed Midnight Blizzard crew eyeing personal credentials.

The Midnight Blizzard hackers, also known as Nobelium and tracked as APT29, Cozy Bear, Iron Hemlock, and The Dukes, uses residential proxy services to obfuscate the source IP address of their attacks that typically target governments, IT service providers, NGOs, defense industry, and critical manufacturing, Microsoft said in a series of Twitter posts.

How the Attack Works

The threat actor likely “used these IP addresses for very short periods, which could make scoping and remediation challenging," Microsoft said.

Microsoft’s cyber defenders didn’t specify which countries the Kremlin-supported hackers had targeted nor did it offer up any organizations that had been hit.

“These credential attacks use a variety of password spray, brute force, and token theft techniques,” Microsoft said. The crew has also conducted “session replay attacks to gain initial access to cloud resources leveraging stolen sessions likely acquired via illicit sale.”

Nobelium Notorious for SUNBURST Orion Attack

Nobelium, which is said to be tied to the Foreign Intelligence Service of the Russian Federation (SVR), an organization responsible for collecting intelligence outside Russia, including electronic surveillance, is known for supply chain attacks and has been fingered as the syndicate that carried out the massive SUNBURST Orion cyber attack in December, 2020. That operation hit a number of U.S. federal agencies and hundreds of businesses.

In addition, more recently, Nobelium is charged with attacks on Ukrainian military targets, countries providing assistance to Ukraine’s war efforts and other organizations opposing Russia.

In October, 2021, Nobelium, the alleged Russian state actor that apparently launched the SUNBURST cyberattacks, has targeted at least 140 resellers and technology service providers since May 2021, Microsoft reported. As many as 14 of those resellers and technology service providers have been compromised, Microsoft said.

“We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community,” the Windows-maker said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.