Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations and that it's currently beginning to notify them.
The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew tracked as APT29, which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.
"This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the U.S. and Europe," the Microsoft Threat Intelligence team said in a new advisory.
The primary goal of these espionage missions is to gather sensitive information that is of strategic interest to Russia by maintaining footholds for extended periods of time without attracting any attention.
The latest disclosure indicates that the scale of the campaign may have been bigger than previously thought. The tech giant, however, did not reveal which other entities were singled out.
APT29's operations involve the use of legitimate but compromised accounts to gain and expand access within a target environment and fly under the radar. It's also known to identify and abuse OAuth applications to move laterally across cloud infrastructures and for post-compromise activity, such as email collection.
"They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, and exploitation of service providers' trust chain to gain access to downstream customers," Microsoft noted.
Another notable tactic entails the use of breached user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. This enables threat actors to maintain access to applications, even if they lose access to the initially compromised account, the company pointed out.
These malicious OAuth applications are ultimately used to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts to exfiltrate data of interest.
In the incident targeting Microsoft in November 2023, the threat actor used a password spray attack to successfully infiltrate a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) enabled.
"In this observed Midnight Blizzard activity, the actor tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures," it said.
The intruders then leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment, weaponizing it to create additional malicious OAuth applications and grant them the Office 365 Exchange Online full_access_as_app role in order to obtain access to mailboxes.
Such attacks are launched from a distributed residential proxy infrastructure to conceal their origins, allowing the threat actor to interact with the compromised tenant and with Exchange Online via a vast network of IP addresses that are also used by legitimate users.
"Midnight Blizzard's use of residential proxies to obfuscate connections makes traditional indicators of compromise (IoC)-based detection infeasible due to the high changeover rate of IP addresses," Redmond said, necessitating that organizations take steps to defend against rogue OAuth applications and password spraying.