Microsoft has disclosed new information about the response to the Russian nation-state attack that infiltrated its systems in January. The tech giant has also issued guidance to users on how to combat this threat.
The malicious activity on the company’s network was discovered by Microsoft on January 12, 2024, allegedly perpetrated by “Midnight Blizzard” (aka Nobelium, APT29, Cozy Bear), a Russian state-sponsored group known for espionage and intelligence gathering operations. The group gained initial access by compromising a legacy, non-production test tenant account using password spray attacks, and then proceeded to access the email accounts of some of Microsoft’s senior leadership team.
It was revealed that the test tenant account did not have multi-factor authentication (MFA) enabled, which was a significant security vulnerability exploited by the attackers.
Microsoft’s latest report indicated that Midnight Blizzard used residential proxy networks to carry out its password spray attacks, routing traffic through numerous IP addresses used by legitimate users to evade detection. The group also utilized OAuth applications to conceal their malicious activity, leveraging their initial access to identify and compromise a legacy test OAuth application with elevated access to the Microsoft corporate environment.
The attackers created a new user account to grant consent to additional malicious OAuth applications they had developed, ultimately gaining access to mailboxes by using the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role.
To defend against this nation-state attack, Microsoft advised customers to take several key actions, including identifying malicious OAuth applications, protecting against password spray attacks, enabling identity alerts and protection, and identifying and investigating suspicious OAuth activity. These measures are essential to reduce the risk of falling victim to a similar attack.
The investigation into the incident is ongoing, and Microsoft has committed to providing further details as appropriate.
Meanwhile, IT firm HPE disclosed in a regulatory filing on January 19 that it believes Midnight Blizzard was responsible for a breach of its cloud-based email environment in May 2023. This attack enabled the hackers to access HPE mailboxes belonging to individuals in its cybersecurity, go-to-market, business segments, and other functions.
The details revealed by Microsoft shed light on the sophisticated tactics employed by the Russian state-sponsored group to infiltrate and compromise its systems. The guidance provided by the tech giant aims to equip users with the knowledge and tools necessary to protect themselves against similar attacks in the future.
As the investigation continues, the cybersecurity community will be closely monitoring any new developments related to this incident and the ongoing threat posed by malicious nation-state actors.