TLDR:
- Russia’s ‘Midnight Blizzard’ threat group is targeting cloud environments using automated cloud service accounts and dormant accounts to gain initial access.
- The threat actor has shifted tactics to target organizations in various sectors that have moved to cloud services.
Russia’s ‘Midnight Blizzard’ threat group, connected to Russian intelligence services, has been utilizing automated cloud service accounts and dormant accounts to access cloud environments at targeted organizations. This marks a significant shift in tactics as the threat actor adapts to the increasing adoption of cloud services by organizations across sectors. The UK’s National Cyber Security Center, along with the US Cybersecurity and Infrastructure Security Agency and other international counterparts, have issued guidance on how organizations can defend against Midnight Blizzard’s cloud attacks. The threat actor, also known as APT29, Cozy Bear, and Dukes, has been linked to Russia’s SVR with high confidence and has been active since at least 2009. Initially focusing on intelligence-gathering attacks, Midnight Blizzard has since targeted a wide range of organizations, including those in the software supply chain, healthcare research, and more.
Midnight Blizzard has been targeting cloud service accounts and exploiting vulnerabilities to gain initial access to organizations’ cloud environments. Strategies include brute-force attacks on automated service accounts, leveraging dormant accounts belonging to former users, and abusing authentication tokens to maintain persistence without requiring a password. The threat actor has also used tactics like OAuth tokens and MFA attacks to gain access to target accounts. To mitigate the threat, organizations are advised to use multi-factor authentication, create strong passwords for service accounts, implement the principle of least privilege, and monitor for unauthorized access.
Overall, the evolving tactics of Midnight Blizzard underscore the importance of robust security measures in defending against cloud-based threats and the need for organizations to continuously adapt to emerging cyber threats in cloud environments.