January 26, 2024 at 10:28AM
Microsoft confirmed that the Russian hacking group Midnight Blizzard, linked to the Russian Foreign Intelligence Service, breached its systems in November 2023 and stole email from its leadership. The group gained access through a non-MFA-enabled test account and leveraged OAuth applications to access corporate mailboxes. Similar attacks targeting other organizations have been identified. Microsoft provides detection methods for defenders.
From the meeting notes, we have important takeaways regarding the malicious activities of the Russian Foreign Intelligence Service hacking group, known as Midnight Blizzard or APT29. Microsoft confirmed that these threat actors not only breached their systems but also targeted other organizations, including HPE.
Key points to note are:
1. Microsoft confirmed that Midnight Blizzard breached its systems in November 2023, stole email data, and utilized residential proxies and “password spraying” techniques to gain unauthorized access.
2. They also compromised a legacy test OAuth application with elevated access, allowing them to create additional malicious OAuth applications and gain access to other corporate mailboxes.
3. Microsoft identified the malicious activity through a combination of EWS logs and known tactics used by state-sponsored hacking groups.
4. Midnight Blizzard’s attacks were not limited to Microsoft, as they targeted other organizations such as HPE.
5. Microsoft has provided extensive detection and hunting methods to aid in identifying and blocking the malicious activities of APT29.
These points highlight the sophisticated nature of the attacks and the importance of implementing stringent security measures to defend against them.