Key Takeaways
Microsoft has issued a warning about Midnight Blizzard after it identified an email spear-phishing campaign attributed to the Russian Hacker group on Oct. 22.
The attack saw Midnight Blizzard send phishing emails to thousands of users in over 100 organizations, including government agencies, higher education, defense, and non-governmental organizations in dozens of countries.
Six months after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed that Midnight Blizzard had infiltrated some civilian agencies’ email correspondence, Microsoft has highlighted another malicious email campaign originating from the same source.
Whereas previous attacks have typically relied on large-scale phishing operations, sending out huge volumes of emails to maximize the chances of someone downloading the malicious files, Microsoft described the “spear-phishing” campaign as being “highly targeted.”
The emails used specific social engineering lures to trick targets. They contained a Remote Desktop Protocol (RDP) configuration file that, if installed, “would lead to significant information exposure,” Microsoft said.
In a previous incident, Microsoft revealed that Midnight Blizzard had breached its email systems. However, it didn’t disclose which organizations were affected.
Following several updates, CISA recently confirmed that the “Russian state-sponsored cyber actor” had successfully infiltrated email correspondence between Microsoft and various civilian Federal agencies.
As a result of the attack, CISA ordered all affected agencies to analyze the content of leaked emails, reset compromised credentials, and take additional steps to ensure the security of authentication tools for privileged Microsoft Azure accounts.
Microsoft first publicly identified a nation-state cyber threat designated as NOBELIUM in 2020.
Although it didn’t immediately name Russia as the source of the attacks, the firm acknowledged that a shadowy entity had been targeting American organizations to further its geopolitical interests.
The company described a sophisticated hacking operation that had successfully breached the systems of world-class companies with strong security teams.
Since April 2023, Microsoft Threat Intelligence has shifted to a new threat actor naming scheme centered on weather. As such, NOBELIUM was reclassified as Midnight Blizzard.
While the name may have changed, over the years, Midnight Blizzard has remained a persistent threat, using a range of techniques to conduct espionage and steal secrets.
Some of its most well-known campaigns include the TEARDROP malware and a supply chain attack that targeted the SolarWinds Orion business software.
In November 2023, Midnight Blizzard used a password spray attack to compromise a legacy internal test account and gain a foothold. From there, hackers used the account’s permissions to access several Microsoft corporate email accounts, including members of its senior leadership and cybersecurity teams.
Microsoft’s investigation revealed that the attackers initially targeted email accounts for information related to Midnight Blizzard itself.
Following the strategy’s initial success, Midnight Blizzard appears to have ramped up the operation, with the number of password sprays multiplying tenfold in February.
Password spraying is a cyberattack tactic that involves using a single password to try and break into multiple target accounts.
Password spray attacks, often relying on old-school guesswork to compromise accounts, are pretty low-tech by Midnight Blizzard’s standards. The fact that the strategy paid off points to a general complacency about cybersecurity that many people can be guilty of.