The cyber threat landscape took a concerning turn as Microsoft revealed that the Russian state-sponsored threat actors, responsible for a cyber attack on its systems in late November 2023, have set their sights on other organizations. This disclosure follows Hewlett Packard Enterprise’s acknowledgment of falling victim to an attack orchestrated by a hacking group known as APT29, or by its aliases BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard, and The Dukes.
According to the Microsoft Threat Intelligence team, APT29 primarily targets governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, with a notable focus on the United States and Europe. Their modus operandi involves stealthy espionage missions aimed at acquiring strategic information without raising alarms.
The recent revelation suggests that the scope of the campaign may extend beyond initial assessments. While Microsoft refrained from naming the specific entities targeted, the advisory underscores APT29’s sophisticated tactics, including the use of compromised accounts and OAuth applications to navigate through target environments undetected.
APT29’s arsenal includes diverse techniques, from stolen credentials and supply chain attacks to exploiting trust relationships among service providers to reach downstream customers. Of particular concern is their exploitation of breached user accounts to create and manipulate OAuth applications, enabling persistent access even after losing control of the initial compromised account.
In the November 2023 attack on Microsoft, APT29 employed password spray attacks to breach a legacy test tenant account lacking multi-factor authentication (MFA). Subsequently, they exploited a legacy test OAuth application to escalate privileges, create additional malicious OAuth applications, and gain access to Office 365 Exchange Online mailboxes.
The threat actors operate from a distributed residential proxy infrastructure, obscuring their origins and complicating traditional indicators of compromise-based detection. As a result, organizations must enhance defenses against rogue OAuth applications and password spraying, given the evolving tactics of sophisticated adversaries like APT29.
In light of these developments, vigilance, robust security measures, and proactive threat detection are imperative to mitigate the risks posed by state-sponsored cyber threats in today’s interconnected digital landscape.