Late last year Russian state hackers started a campaign to access Microsoft systems, and on January 12th this year managed to gain access to a test network into their corporate network and compromise a number of executive email accounts according to a recent post by the Microsoft security team.

Microsoft have attributed the attack to the Russian threat actor they track as Midnight Blizzard (A.K.A. Nobellium, APT29), a threat actor which has been responsible for a number of high profile attacks over the last 10 years including the Solarwinds Orion attack in 2020 which affected thousands of companies.

According to the Microsoft post, the threat actor used a password spraying attack to compromise a legacy non-production test account and gain a foothold back in November 2023.

Once they had gained access, they then used the account’s permissions to access a small percentage of Microsoft corporate email accounts, including members of the senior leadership team and employees in the cybersecurity, legal, and other departments. Some emails and attached documents are known to have been exfiltrated by the attackers.

Microsofts’ forensic investigation into the attack indicates that the attackers were initially targeting email accounts for information related to Midnight Blizzard itself.

Who are Midnight Blizzard?

Midnight Blizzard is a threat actor group suspected to be either a component part to the Russian Foreign Intelligence Service (SVR), or a group working under SVR direction.

Initially seen in 2008 when samples of the MiniDuke malware were compiled and investigated by Kaspersky researchers, Midnight Blizzard have conducted a number of high profile attacks against organisations responsible for influencing the foreign policy of NATO countries. The group is known for its interest in geopolitical data that would be advantageous to the Russian state. 

Some of the known attacks by Midnight Blizzard include:

  • 2014
    • Office Monkeys’ campaign – targeting a Washington D.C. private research institute
  • 2015
    • Gained access to the Pentagon’s network via phishing attacks and introduced the Hammertoss technique which used dummy Twitter accounts for Command and Control (C2) communications
  • 2016
    • Launched the GRIZZLY STEPPE campaign which allowed the gang to breach the DNC servers close to the US election via a phishing campaign directing victims to change their passwords using a spoofed website
  • 2017
    • Targeted the Norwegian Government and several Dutch ministries
  • 2019
    • Compromised three EU National Affairs ministries and a Washington D.C.-based embassy of an EU nation state
  • 2020
    • Conducted attacks against COVID-19 vaccine developers in Canada, the US, and the UK
    • Distributed SUNBURST malware, attacking SolarWinds Orion software to drop a Remote Access Trojan (RAT) that impacted many global organisations
  • 2023
    • Conducted targeted social engineering operations via Microsoft Teams

Known Malware

As is the case with other threat actors, Midnight Blizzard tend to develop and use specific malware to enable their attacks. Some of the known malware associated with Midnight Blizzard are:

  • PinchDuke: This was the first toolkit attributed to Midnight Blizzard. The toolkit consists of multiple loaders and a core information stealer trojan. The malware gathers system configuration information, steals user credentials, and collects user files from the compromised host, transferring these via HTTP(S) to a C2 server. PinchDuke was reported as being used from November 2008 to the summer of 2010 and was observed in attacks against Chechnya, Turkey, Georgia, and several former Soviet states before evolving to the CosmicDuke toolkit in 2010.
  • CosmicDuke: The CosmicDuke toolkit is another information stealer malware. The tool can be augmented by a variety of components that the operators may include with the main component to provide additional functionalities, such as multiple methods of establishing persistence, as well as modules that attempt to exploit privilege escalation vulnerabilities. CosmicDuke was utilised from January 2010 to the summer of 2015 and was observed targeting a wide range of organisations including those in the energy and telecommunications sectors, and governments and the military.
  • GeminiDuke: The GeminiDuke toolset consists of a core information stealer, a loader and multiple persistence-related components. Unlike CosmicDuke and PinchDuke, it primarily collects information on the target system’s configuration. GeminiDuke was actively utilised from January 2009 to December 2012.
  • CozyDuke: CozyDuke is a modular malware platform which can be instructed by the C2 server to download and execute arbitrary modules, providing a vast array of functionalities. In addition to modules, CozyDuke can also be instructed to download and execute other, independent executables. In some observed cases, these executables were self-extracting archive files containing common hacking tools, such as PSExec and Mimikatz, combined with script files that execute these tools. CozyDuke was utilised by Midnight Blizzard from January 2010 to the spring of 2015.
  • OnionDuke: The OnionDuke toolkit includes at least a dropper, a loader, an information stealer trojan and multiple modular variants. OnionDuke was the only tool used by Midnight Blizzard that is not spread using phishing and instead was spread via a malicious Tor exit node. OnionDuke was observed from February 2013 to the spring of 2015
  • SeaDuke: SeaDuke is a backdoor malware that focuses on executing commands retrieved from its C2 server, such as uploading and downloading files, executing system commands, and evaluating additional Python code. SeaDuke was active from October 2014 to May 2016.
  • Hammertoss: Midnight Blizzard used Hammertoss as a backup for their two primary backdoors to execute commands and maintain access in the case of the group’s principle toolset being discovered. Hammertoss was in use from at least January 2015 to July 2015.
  • CloudDuke: CloudDuke is a malware toolset known to consist of a downloader, a loader and two backdoor variants, including MiniDionis/Cloudlook. The CloudDuke downloader will download and execute additional malware from a preconfigured location. CloudDuke was in use primarily during the summer of 2015.
  • Cobalt Strike Beacon: In November 2018 the threat actor group utilised Cobalt Strike Beacon instead of bespoke malware or toolkits. The Beacon payload was configured with a modified variation of the publicly available “Pandora” Malleable C2 Profile and used the C2 domain – pandorasong[.]com.
  • PowerDuke: PowerDuke is delivered to targets via emails with Microsoft Word or Excel attachments containing malicious macros. If successfully exploited, a PNG image is downloaded from the compromised web server and the PowerDuke trojan is hidden in the PNG images using steganography. PowerDuke was first seen in August 2016
  • POSHSPY: POSHSPY is a backdoor that leverages PowerShell and Windows Management Instrumentation (WMI). Its use of a PowerShell payload means that only legitimate system processes are utilised and that the malicious code execution can only be identified through enhanced logging or in memory. POSHSPY has been active since at least early 2015.

Related Articles

NCA 2 : LockBit 0
General blogs

NCA 2 : LockBit 0

Mark
Compromising Operational Technology (OT)
General blogs

Compromising Operational Technology (OT)

Mark
Have AlphaV done a runner?
General blogs

Have AlphaV done a runner?

Mark
AlphaV hit US medical supply chain
General blogs

AlphaV hit US medical supply chain

Mark
NCSC launch “online service guidance” for small businesses
General blogs

NCSC launch “online service guidance” for small businesses

Mark