In November 2023 [1] [2] [3] [5] [6] [7], Microsoft announced that it had been targeted in a cyber attack by the Russian state-sponsored threat actors known as APT29 or by various other names including BlueBravo, Cloaked Ursa [2] [3] [5], Cozy Bear [1] [2] [3] [4] [5] [6], Midnight Blizzard [1] [2] [3] [4] [5] [7], and The Dukes [2] [3]. These threat actors [1] [3] [5], believed to be associated with the Russian Foreign Intelligence Service (SVR) [7], have a history of targeting governments, diplomatic entities [3] [5], NGOs [3] [5], and IT service providers in the US and Europe [3] [5]. The goal of these threat actors is to gather sensitive information of strategic interest to Russia without attracting attention [3] [5]. Microsoft has now revealed that the same Russian threat actors responsible for the attack on their systems have been targeting other organizations as well [2] [3] [5].
Description
Microsoft has disclosed that the Russian threat actors responsible for the attack on their systems have also targeted other organizations. Hewlett Packard Enterprise (HPE) recently disclosed that they were also a victim of an attack by the same hacking crew [2], APT29 or by their various aliases including BlueBravo [3] [5], Cloaked Ursa [2] [3] [5], Cozy Bear [1] [2] [3] [4] [5] [6], Midnight Blizzard (formerly Nobelium) [2], and The Dukes [2] [3]. The hackers used a password spray attack to infiltrate a non-production test tenant account without multi-factor authentication [3] [5]. From there [7], they compromised a legacy test OAuth application and gained access to mailboxes [3]. The hackers accessed a small percentage of corporate email accounts belonging to senior leadership and employees from the cybersecurity and legal departments [1] [7], stealing some emails and attached documents [1] [7].
HPE’s cyberattack [2] [3] [5] [6], believed to be carried out by Cozy Bear [6], targeted their cloud-based email environment [6], resulting in data being accessed and exfiltrated from a small percentage of HPE mailboxes belonging to individuals in various departments [6]. This incident is likely related to earlier activity by Cozy Bear against HPE [6]. HPE is cooperating with law enforcement and taking necessary measures to contain and investigate the breach [6]. This attack is similar to the one disclosed by Microsoft [6], where Cozy Bear breached their network and accessed a small percentage of corporate email accounts [6]. The attack on Microsoft began in November 2023 and was detected in January 2024 [6]. The specific method used by Cozy Bear to gain access to senior executives’ email accounts is unclear [6]. HPE has filed a form 8-K with the Securities & Exchange Commission to comply with regulatory disclosure guidelines [6]. The incident has not had any operational impact on HPE’s business [6], and no material financial impact has been determined so far [6].
It is important to note that the attack on Microsoft was not due to a vulnerability in their products or services, and there is no evidence that the hackers had access to customer environments [7], production systems [1] [3] [5] [7], source code [7], or AI systems [7]. Microsoft reassured customers that they will be notified if any action is required.
APT29 [1] [2] [3] [4] [5], the threat actor responsible for the attack on Microsoft [3], uses compromised accounts and OAuth applications to gain and expand access within a target environment [3] [5]. They also utilize breached user accounts to create and grant high permissions to OAuth applications [5], allowing them to maintain access even if the initial account is lost [5]. The threat actors obfuscate their connections using residential proxies [5], making traditional indicators of compromise detection difficult [3] [5].
Conclusion
These recent cyber attacks highlight the ongoing threat posed by state-sponsored threat actors like APT29. Organizations are advised to defend against rogue OAuth applications and password spraying [3] [5]. It is crucial for organizations to implement multi-factor authentication and regularly update their security measures to protect against such attacks. The cooperation between affected organizations, law enforcement [6], and regulatory bodies is essential in investigating and mitigating the impact of these breaches. The incidents also underscore the need for continued vigilance and investment in cybersecurity to safeguard sensitive information and prevent unauthorized access in the future.
References
[1] https://thecyberwire.com/newsletters/week-that-was/8/4
[2] https://vulners.com/thn/THN:472C22061592D9B844302F0C1EB417DC
[3] https://thehackernews.com/2024/01/microsoft-warns-of-widening-apt29.html
[4] https://ca.news.yahoo.com/hpe-says-hacked-russian-group-100918165.html
[5] https://www.redpacketsecurity.com/microsoft-warns-of-widening-apt29-espionage-attacks-targeting-global-orgs/
[6] https://www.techtarget.com/searchSecurity/news/366567743/HPE-breached-by-Russian-APT-behind-Microsoft-hack
[7] https://www.helpnetsecurity.com/2024/01/25/cozy-bear-microsoft-hpe/
