Home / News / Technology / Microsoft Warns of Midnight Blizzard’s Return — Cyber Campaign Targets Governments and NGOs
Technology
4 min read

Microsoft Warns of Midnight Blizzard’s Return — Cyber Campaign Targets Governments and NGOs

Last Updated
James Morales
Last Updated

Key Takeaways

  • Midnight Blizzard sent thousands of phishing emails in a campaign targeting government agencies and NGOs.
  • Microsoft has warned that files contained in the email could compromise users’ computers.
  • Since 2020, the state-backed Russian hacker group has consistently targeted Western organizations.

Microsoft has issued a warning  about Midnight Blizzard after it identified an email spear-phishing campaign attributed to the Russian Hacker group on Oct. 22.

The attack saw Midnight Blizzard send phishing emails to thousands of users in over 100 organizations, including government agencies, higher education, defense, and non-governmental organizations in dozens of countries.

Midnight Blizzard Strikes Again

Six months after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed that Midnight Blizzard had infiltrated some civilian agencies’ email correspondence, Microsoft has highlighted another malicious email campaign originating from the same source.

Whereas previous attacks have typically relied on large-scale phishing operations, sending out huge volumes of emails to maximize the chances of someone downloading the malicious files, Microsoft described the “spear-phishing” campaign as being “highly targeted.” 

The emails used specific social engineering lures to trick targets. They contained a Remote Desktop Protocol (RDP) configuration file that, if installed, “would lead to significant information exposure,” Microsoft said.

Government Emails Compromised by Russian Hackers

In a previous incident, Microsoft revealed that Midnight Blizzard had breached its email systems. However, it didn’t disclose which organizations were affected.

Following several updates, CISA recently confirmed that the “Russian state-sponsored cyber actor” had successfully infiltrated email correspondence between Microsoft and various civilian Federal agencies.

As a result of the attack, CISA ordered all affected agencies to analyze the content of leaked emails, reset compromised credentials, and take additional steps to ensure the security of authentication tools for privileged Microsoft Azure accounts.

The Origins of Midnight Blizzard

Microsoft first publicly identified a nation-state cyber threat designated as NOBELIUM in 2020.

Although it didn’t immediately name Russia as the source of the attacks, the firm acknowledged  that a shadowy entity had been targeting American organizations to further its geopolitical interests.

The company described a sophisticated hacking operation that had successfully breached the systems of world-class companies with strong security teams.

Since April 2023, Microsoft Threat Intelligence has shifted  to a new threat actor naming scheme centered on weather. As such, NOBELIUM was reclassified as Midnight Blizzard.

While the name may have changed, over the years, Midnight Blizzard has remained a persistent threat, using a range of techniques to conduct espionage and steal secrets.

Some of its most well-known campaigns include the TEARDROP malware and a supply chain attack that targeted the SolarWinds Orion business software.

Midnight Blizzard Looks Into Investigators

In November 2023, Midnight Blizzard used a password spray attack to compromise a legacy internal test account and gain a foothold. From there, hackers used the account’s permissions to access several Microsoft corporate email accounts, including members of its senior leadership and cybersecurity teams.

Microsoft’s investigation revealed  that the attackers initially targeted email accounts for information related to Midnight Blizzard itself.

Following the strategy’s initial success, Midnight Blizzard appears to have ramped up the operation, with the number of password sprays multiplying tenfold in February.

What Is Password Spraying?

Password spraying is a cyberattack tactic that involves using a single password to try and break into multiple target accounts.

Password spray attacks, often relying on old-school guesswork to compromise accounts, are pretty low-tech by Midnight Blizzard’s standards. The fact that the strategy paid off points to a general complacency about cybersecurity that many people can be guilty of.

Was this Article helpful? Yes No

James Morales

Although his background is in crypto and FinTech news, these days, James likes to roam across CCN’s editorial breadth, focusing mostly on digital technology. Having always been fascinated by the latest innovations, he uses his platform as a journalist to explore how new technologies work, why they matter and how they might shape our future.
See more