On Thursday, Microsoft disclosed that a group of Russian state-sponsored threat actors, linked to a cyber attack on its systems in late November 2023, has been targeting additional organizations. The company is now in the process of notifying affected entities.
This announcement follows Hewlett Packard Enterprise’s revelation that it fell victim to an attack attributed to the hacking group known as APT29, recognized also by aliases such as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (previously Nobelium), and The Dukes.
According to Microsoft’s Threat Intelligence team, APT29 primarily aims its attacks at governments, diplomatic organizations, non-government organizations (NGOs), and IT service providers, especially within the U.S. and Europe. This highlights a consistent pattern in their espionage efforts, which seek to gather sensitive information of strategic interest to the Russian Federation.
The implications of this latest development suggest that the threat landscape may be broader than originally perceived, as Microsoft has elected not to disclose the specific identities of the organizations being targeted. The operational tactics employed by APT29 include the use of legitimate yet compromised accounts to gain expanded access in victim environments while evading detection.
Notably, APT29 has been observed exploiting OAuth applications to facilitate lateral movement across cloud infrastructures as part of their post-compromise activities, such as sensitive email collection. Their initial access methods are diverse, including credential theft, supply chain attacks, and the exploitation of trust relationships with service providers to penetrate downstream clients.
A significant tactic employed by the group involves utilizing access to breached user accounts to create, modify, and assign elevated permissions to OAuth applications. These applications can subsequently be misused to obscure malicious activities, allowing attackers to maintain their presence even if they lose access to the original compromised account.
This specific incident involving Microsoft showcases the use of a password spray attack that targeted a legacy test tenant account lacking multi-factor authentication (MFA). The attackers tailored their approach by limiting the number of accounts targeted and minimizing password attempt volumes to avoid triggering detection barriers.
After gaining initial access, the threat actors compromised a legacy OAuth application possessing elevated permissions within Microsoft’s environment, weaponizing it to create malicious OAuth applications. They assigned these applications the full access role to Microsoft Exchange Online to extract valuable mailbox data.
Moreover, by executing attacks from a distributed residential proxy infrastructure, the actors obscured their origins, allowing them to engage with compromised tenants and Exchange Online using a broad range of IP addresses typically associated with legitimate users. As a result, traditional indicators of compromise (IoCs) may not be effective for detection, necessitating a proactive stance by organizations to defend against unauthorized OAuth applications and password spraying.
