Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs

Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs

Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations and that it’s currently beginning to notify them.

The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew tracked as APT29, which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.

“This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the U.S. and Europe,” the Microsoft Threat Intelligence team said in a new advisory.

APT29’s operations involve the use of legitimate but compromised accounts to gain and expand access within a target environment and fly under the radar. It’s also known to identify and abuse OAuth applications to move laterally across cloud infrastructures and for post-compromise activity, such as email collection.

The intruders then leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment, weaponizing it to create additional malicious OAuth applications and grant them the Office 365 Exchange Online full_access_as_app role in order to obtain access to mailboxes.

Such attacks are launched from a distributed residential proxy infrastructure to conceal their origins, allowing the threat actor to interact with the compromised tenant and with Exchange Online via a vast network of IP addresses that are also used by legitimate users.

“Midnight Blizzard’s use of residential proxies to obfuscate connections makes traditional indicators of compromise (IoC)-based detection infeasible due to the high changeover rate of IP addresses,” Redmond said, necessitating that organizations take steps to defend against rogue OAuth applications and password spraying.