Recent reports have unveiled that the threat group known as “Midnight Blizzard,” linked to Russian intelligence services (SVR), has been utilizing automated cloud services accounts and dormant accounts to breach cloud environments in targeted organizations. This strategic advancement marks a substantial shift in tactics for the threat actor, also recognized as APT29, Cozy Bear, and Dukes, as it adjusts its methods to the expanding adoption of cloud services by traditionally targeted sectors.
In a joint advisory issued by the UK’s National Cyber Security Center (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA), along with other international cybersecurity agencies, organizations were cautioned about Midnight Blizzard’s evolving tactics. The advisory emphasized the critical need for organizations to fortify their defenses against SVR’s techniques for initial cloud access to thwart potential breaches and data exfiltration attempts.
Midnight Blizzard, previously noted for its intelligence gathering activities targeting government agencies and various industries, has expanded its scope of attacks to encompass a wider array of sectors. Following the notorious SolarWinds breach, the threat actor has taken aim at organizations in the software supply chain, healthcare research, law enforcement, aviation, and military domains. Major companies like Microsoft and HPE have attributed security breaches to Midnight Blizzard, underscoring the severity and sophistication of the threat actor’s operations.
Historically, Midnight Blizzard exploited software vulnerabilities and network weaknesses to infiltrate on-premises IT systems of target organizations. However, with the transition towards cloud-native and cloud-hosted environments by many entities, the threat actor has pivoted its focus to cloud services. This shift necessitated the utilization of techniques like leveraging automated cloud service accounts and dormant accounts to gain initial access to cloud environments.
One prevalent tactic employed by Midnight Blizzard involves utilizing brute-force guessing and password spraying attacks to compromise automated non-human accounts managing cloud applications. These accounts, deficient in robust two-factor authentication mechanisms, pose a prime target for illicit access and subsequent network infiltration by threat actors. Additionally, dormant accounts left unattended by organizations present an opportunity for Midnight Blizzard to exfiltrate sensitive data and perpetrate further malicious activities within the compromised network.
Moreover, Midnight Blizzard has resorted to abusing authentication tokens, including illegally obtained OAuth tokens, to maintain persistent access to victim accounts without the need for passwords. The threat actor has also engaged in MFA bombing attacks to coerce victims into authenticating them to targeted accounts, showcasing their adeptness at circumventing security protocols. To counter such threats, organizations are advised to implement multifactor authentication, enforce strong password protection for service accounts, and adhere to the principle of least privilege to limit the scope of potential misuse by threat actors.
To mitigate the risk posed by unauthorized access and data breaches, organizations should enhance their security measures by regulating authentication token lifetimes, restricting device enrollment policies, and implementing canary service accounts as a means of detecting suspicious activities within cloud environments. By fortifying their defenses and adopting proactive security measures, organizations can significantly diminish the threat posed by sophisticated threat actors like Midnight Blizzard in the ever-evolving cybersecurity landscape.