Full Report
Researchers have disrupted an operation attributed to Russian state-sponsored threat group Midnight Blizzard, who sought access to Microsoft 365 accounts and data. [...]
Analysis Summary
# Threat Actor: Midnight Blizzard (APT29)
## Attribution & Identity
Attributed to the Russian state-sponsored threat group **Midnight Blizzard**, also known as **APT29**. The group is linked to Russia’s Foreign Intelligence Service (SVR).
## Activity Summary
Researchers disrupted a watering hole campaign attributed to Midnight Blizzard targeting Microsoft 365 accounts and data. The group compromised legitimate websites and used obfuscated malicious code (base64) to redirect selected visitors to attacker-controlled infrastructure designed to steal authorizations. This campaign reflects an evolution in their technical approach, moving away from impersonating AWS domains or older MFA bypass techniques.
## Tactics, Techniques & Procedures
- **Watering Hole Attacks:** Compromising legitimate websites to redirect traffic.
- **Obfuscation:** Using `base64` encoding for malicious JavaScript code on compromised sites.
- **Randomized Redirection:** Redirecting only approximately 10% of compromised site visitors to malicious infrastructure using a cookie-based system to avoid suspicion from repeated exposure.
- **Impersonation:** Hosting fake verification pages that mimic Cloudflare.
- **Authentication Hijacking:** Guiding victims through a malicious Microsoft device code authentication flow to trick users into authorizing attacker-controlled devices.
## Targeting
- Sectors: General organizations utilizing Microsoft 365 (Implied high-value/intelligence targets based on historical profile).
- Geography: Not explicitly detailed for this campaign, but the actor is Russian-linked and has historically targeted European entities.
- Victims: The campaign targeted users attempting to access Microsoft 365 accounts. Historically linked victims mentioned include European embassies, Hewlett Packard Enterprise, and TeamViewer.
## Tools & Infrastructure
- **Malware families used:** The article mentions the group deploys **Grapeloader** in other contexts, but no specific malware was detailed for this watering hole operation beyond the redirection mechanisms.
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Malicious domains mimicking Cloudflare verification pages: `findcloudflare[.]com`, `cloudflare[.]redirectpartners[.]com`
- Infrastructure included EC2 instances used for hosting the fraudulent flow.
## Implications
This campaign demonstrates an evolution in APT29's technical execution, focusing on credential harvesting and intelligence gathering via sophisticated social engineering revolving around device authorization flows, rather than relying on previous MFA bypass (app-specific password) methods or social engineering mimicking AWS. The threat remains high due to their persistence and adaptability in targeting major cloud environments.
## Mitigations
- Verify all device authorization and authentication requests carefully.
- Enable and strictly enforce Multi-Factor Authentication (MFA).
- Avoid executing commands copied directly from webpages.
- Administrators should consider disabling unnecessary device authorization flows where possible.
- Enforce conditional access policies.
- Closely monitor authentication logs for suspicious events.