Abstract

The advanced persistent threat (APT) Cozy Bear, Midnight Blizzard or Nobelium is said to have gained access to Microsoft corporate email accounts, the initial incident came to light in January 2024, and further update on the matter came in March 2024 indicating that Nobelium attempted to access Microsoft Source code, this article will analyse the incident and the Implication of Nobelium.

Keywords: APT, Midnight Blizzard, Nobelium, Microsoft Attack, Source Code

Introduction

            Advanced persistent threat 29 better known to the masses by the name of Cozy Bear, or Midnight Blizzard, is alleged to be linked to the Foreign Intelligence Service (SVR) and is widely known for its technical discipline and sophisticated attacks, penetrating secure networks and deploying malware with anti-forensic capabilities. The presence of APT 29 is registered from as back as 2015 when they are said to have gained initial access to the Pentagon’s network, In 2016 they breached the Democratic National Committee servers close to the US election, and their presence was felt in European Union, Canda, United States and United Kingdom. In 2020 the group distributed the SUNBURST malware attacking SolarWinds Orion dropping a RAT impacting several global organizations (Blackberry, n.d.).

            The recent update on APT 29, can be its attack on two tech giants Hewlett Packard and Microsoft, HP on January 19 2024, the United States Security and Exchange Commission released a notice that APT 29, had gained unauthorized access to HP cloud email environment, the threat actor accessed the system going far back as May 2023 (US SEC, 2024). While Microsoft made public the attack on their system on 12^th January 2024 by using a password spray attack, a form of “brute force attack where APT 29, is said to have utilised the same password on multiple accounts eventually gaining access to the system”. The attack on Microsoft is said to have begun in November 2023 onwards and Microsoft’s statement regarding the incident was which came out in January 2024 is as under

“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems (MSRC, Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard, 2024)”.

An update on said attack was recently released on 08 March 2024, stating APT 29 utilizing information from its initial attack has further garnered unauthorized access to the backend and source code of Microsoft, the update has confirmed that the APT 29 has increased their password spray to 10-fold and Microsoft is taking measures to mitigate damages. The update clarified the following.

“We have increased our security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat” (MSRC, 2024).

APT 29 Modus Operandi

            The threat of nation-sponsored APT has always been looming, and the reality of such threat actors will be even more prevalent in the coming years. Mandiant, cybersecurity firm describes how APT 29 accessed the Microsoft system. Through successfully guessing a dormant accounts password, for which source is still not confirmed APT 29 was able to bypass Multi-Factor Authentication (MFA), and once it gained access, APT 29 was able to access the VPN infrastructure which was using Azure AD for authentication and MFA, in addition, APT 29 employed residential proxies to conceal their final connection to targeted environments. Specifically, utilizing Azure Virtual Machines located in Azure subscriptions, which use trusted Microsoft IP addresses, this again further makes it difficult to detect the threat actor, furthermore, the Mandiant report affirms APT 29 had utilised ApplicationImpersonation as well. In hindsight the level of preparation done by APT 29 is startling and it continues to develop its technical craft and is suggested to employ novel ways to breach systems using social engineering, rather than exploiting existing zero-day vulnerabilities (Bienstock, 2022).

Conclusion

            While there is no current report of Midnight Blizzard exploiting any Zero-day vulnerability in systems, the ongoing attack on Microsoft indicates, that it may well be a trial run where the threat actor has chosen softer targets, exploiting unpatched vulnerabilities and utilising social engineering to garner access. One must bear in the current ongoing era multiple threat actors alleged to have state sponsorship are becoming a new and upcoming concern globally, as evidenced by the recent I-Soon data leak which allegedly showcased that Nation sponsored threat attackers have become constantly prevalent, the question of whether one can conclusively confirm the involvement of state actors is difficult,  since most such attacks leave little to no Digital Dust, while I-Soon is a company that contracts for many PRC agencies ranging from China’s Ministry of Public Security, Ministry of State Security, and People’s Liberation Army, (Dakota Cary, 2024) the information leaked still lacks legitimacy and can only be coughed up to information warfare, which further restricts action of any form at an International Level.

            The implications of such state actors will be far more prevalent in the coming age of AI-generated models and quantum computing, where such actors will leverage the existing system. While some believe the targets of such attacks are merely corporate entities, those in policy-making and a nation’s defence architecture must be given a call to action, to identify and take action against such actors and make sure pertinent security audits and threat models are in place which can identify and to an extent predict the behaviour patterns of such entities and take measures to defend and hit back at such actors.

Works Cited

Bienstock, D. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Mandiant: Retrieved March 12, 2024, from https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft

Blackberry. (n.d.). APT29. Blackberry: Retrieved March 11, 2024, https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/apt29

Dakota Cary, A. M. (2024, February 21). Unmasking I-Soon | The Leak That Revealed China’s Cyber Operations. sentinelone: Retrieved March 12, 2024, from https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/

MSRC. (2024, January 19). Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard. Microsoft Security Response Center: Retrieved March 12, 2024, from https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

MSRC. (2024, March 08). Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard. Microsoft Security Response Center: Retrieved March 11, 2024, from https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

US SEC. (2024, Januray 19). Hewlett Packard Enterprise Company. Securities and Exchange Commission: Retrieved March 11, 2024, from https://www.sec.gov/ixviewer/ix.html?doc=/Archives/edgar/data/1645590/000164559024000009/hpe-20240119.htm