{"id":133118,"date":"2024-01-25T16:00:00","date_gmt":"2024-01-26T00:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=133118"},"modified":"2024-11-08T07:08:31","modified_gmt":"2024-11-08T15:08:31","slug":"midnight-blizzard-guidance-for-responders-on-nation-state-attack","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/01\/25\/midnight-blizzard-guidance-for-responders-on-nation-state-attack\/","title":{"rendered":"Midnight Blizzard: Guidance for responders on nation-state attack"},"content":{"rendered":"\n

The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. The Microsoft Threat Intelligence investigation identified the threat actor as Midnight Blizzard<\/a>, the Russian state-sponsored actor also known as NOBELIUM. The latest information from the Microsoft Security and Response Center (MSRC) is posted here<\/a>.<\/p>\n\n\n\n

As stated in the MSRC blog, given the reality of threat actors that are well resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk \u2013 the traditional sort of calculus is simply no longer sufficient. For Microsoft, this incident has highlighted the urgent need to move even faster.<\/p>\n\n\n\n

If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks.<\/p>\n\n\n\n

Microsoft was able to identify these attacks in log data by reviewing Exchange Web Services (EWS) activity and using our audit logging features, combined with our extensive knowledge of Midnight Blizzard. In this blog, we provide more details on Midnight Blizzard, our preliminary and ongoing analysis of the techniques they used, and how you may use this information pragmatically to protect, detect, and respond to similar threats in your own environment.<\/p>\n\n\n\n

Using the information gained from Microsoft\u2019s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.<\/p>\n\n\n\n

It\u2019s important to note that this investigation is still ongoing, and we will continue to provide details as appropriate.<\/p>\n\n\n\n

Midnight Blizzard<\/h2>\n\n\n\n

Midnight Blizzard (also known as NOBELIUM) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the US and Europe. Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018. Their operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organization to expand access and evade detection.<\/p>\n\n\n\n

Midnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change. Midnight Blizzard\u2019s espionage and intelligence gathering activities leverage a variety of initial access, lateral movement, and persistence techniques to collect information in support of Russian foreign policy interests. They utilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, and exploitation of service providers\u2019 trust chain to gain access to downstream customers. Midnight Blizzard is also adept at identifying and abusing OAuth applications to move laterally across cloud environments and for post-compromise activity, such as email collection. OAuth<\/a> is an open standard for token-based authentication and authorization that enables applications to get access to data and resources based on permissions set by a user.<\/p>\n\n\n\n

Midnight Blizzard is tracked by partner security vendors as APT29, UNC2452, and Cozy Bear.<\/p>\n\n\n\n

Midnight Blizzard observed activity and techniques<\/h2>\n\n\n\n

Initial access through password spray<\/strong><\/p>\n\n\n\n

Midnight Blizzard utilized password spray attacks that successfully compromised a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled. In a password-spray attack, the adversary attempts to sign into a large volume of accounts using a small subset of the most popular or most likely passwords. In this observed Midnight Blizzard activity, the actor tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures. In addition, as we explain in more detail below, the threat actor further reduced the likelihood of discovery by launching these attacks from a distributed residential proxy infrastructure. These evasion techniques helped ensure the actor obfuscated their activity and could persist the attack over time until successful.<\/p>\n\n\n\n

Malicious use of OAuth applications<\/strong><\/p>\n\n\n\n

Threat actors like Midnight Blizzard compromise user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications, even if they lose access to the initially compromised account. Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app<\/em> role, which allows access to mailboxes.<\/p>\n\n\n\n

Collection via Exchange Web Services<\/strong><\/p>\n\n\n\n

Midnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts.<\/p>\n\n\n\n

Use of residential proxy infrastructure<\/strong><\/p>\n\n\n\n

As part of their multiple attempts to obfuscate the source of their attack, Midnight Blizzard used residential proxy networks, routing their traffic through a vast number of IP addresses that are also used by legitimate users, to interact with the compromised tenant and, subsequently, with Exchange Online. While not a new technique, Midnight Blizzard\u2019s use of residential proxies to obfuscate connections makes traditional indicators of compromise (IOC)-based detection infeasible due to the high changeover rate of IP addresses.<\/p>\n\n\n\n

Defense and protection guidance<\/h2>\n\n\n\n

Due to the heavy use of proxy infrastructure with a high changeover rate, searching for traditional IOCs, such as infrastructure IP addresses, is not sufficient to detect this type of Midnight Blizzard activity. Instead, Microsoft recommends the following guidance to detect and help reduce the risk of this type of threat:<\/p>\n\n\n\n

Defend against malicious OAuth applications<\/strong><\/p>\n\n\n\n