Midnight Blizzard uses espionage attacks to target government, NGOs, discrete manufacturing sectors

Microsoft Threat Intelligence team identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that the software giant tracks as Midnight Blizzard (previously tracked as Nobelium). This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques. Organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. 

“In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities,” the team disclosed in its latest blog post. “Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.” 

As with any social engineering lures, Microsoft added that it encourages “organizations to reinforce security best practices to all users and reinforce that any authentication requests not initiated by the user should be treated as malicious.” 

The researchers disclosed that the target user may receive a Microsoft Teams message request from an external user masquerading as a technical support or security team. “If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device,” they added.

Subsequently, “if the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow,” the researchers identified. “The actor then proceeds to conduct post-compromise activity, which typically involves information theft from the compromised Microsoft 365 tenant.” 

They added that in some cases, “the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.”

The post added that Microsoft has mitigated the hacker from using the domains and continues to investigate this activity and work to remediate the impact of the attack. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.

Midnight Blizzard, also tracked as Nobelium, is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR, the team revealed. “This threat actor is known to primarily target governments, diplomatic entities, non-government organizations (NGOs), and IT service providers primarily in the US and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018.” 

Microsoft identified that the hacker group’s operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection. “Midnight Blizzard regularly utilizes token theft techniques for initial access into targeted environments, in addition to authentication spear-phishing, password spray, brute force, and other credential attacks. The attack pattern observed in malicious activity since at least late May 2023 has been identified as a subset of broader credential attack campaigns that we attribute to Midnight Blizzard,” it added.

Midnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain access to downstream customers, as well as the Active Directory Federation Service (AD FS) malware known as FOGGYWEB and MAGICWEB. 

Midnight Blizzard (NOBELIUM) is tracked by partner security vendors as APT29, UNC2452, and Cozy Bear.

Microsoft also discloses that to facilitate their attack, the hacker uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. 

“The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant,” the post added. “The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages. These precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domain names in social engineering lures are part of our ongoing investigation. Microsoft has mitigated the actor from using the domains.”

In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.

The team identified that after attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. “The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device.”

To mitigate these threats, Microsoft suggests deploying phishing-resistant authentication methods for users, implementing Conditional Access authentication for employees and external users, and defining trusted Microsoft 365 organizations for chat and meeting domains. 

It also recommends keeping Microsoft 365 auditing enabled, selecting the best access settings for external collaboration, allowing only known devices, educating users about social engineering and credential phishing attacks, verifying external tagging on communication attempts, and reviewing sign-in activity. Implementing Conditional Access App Control in Microsoft Defender for cloud apps can further reduce the risk of phishing attacks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.