In a significant shift in strategy, the Russian threat group known as “Midnight Blizzard” has begun targeting cloud-based services. This group is linked to the Russian intelligence services (SVR) and has been associated with high-profile cyberattacks on SolarWinds, Microsoft, and HPE.
The group’s new approach involves leveraging service accounts and dormant accounts to gain access to cloud environments in targeted organizations. This move comes in response to an increase in the adoption of cloud services by organizations that the group traditionally targets.
“The threat actor is adapting its tactics to the growing use of cloud services,” warned an advisory from the UK’s National Cyber Security Center (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and their international counterparts. They advised organizations to protect against SVR’s tactics as a first line of defense.
Midnight Blizzard has been active since 2009 and is associated with Russian SVR. The group initially attracted attention for its intelligence-gathering attacks on government agencies, think tanks, healthcare, and energy organizations. However, in recent years, it has broadened its scope to include software supply chain, healthcare research, law enforcement, aviation, and military industries.
To gain access to cloud-hosted networks, Midnight Blizzard uses brute-force guessing and password spraying attacks on cloud service accounts. These accounts are automated and used for managing cloud applications and services. They cannot be easily secured via two-factor authentication, making them more vulnerable to compromise.
Furthermore, gaining control over these accounts gives the threat actors privileged initial access to launch further operations. To camouflage their activities, they often use legitimate residential IP addresses to carry out their attacks.
The threat group also takes advantage of dormant accounts. These are accounts that belong to former employees whose credentials remain in the system. In some instances, the group has managed to regain access to a network by logging into inactive accounts and resetting the passwords.
The advisory also noted other tactics used by Midnight Blizzard, such as illegally obtained OAuth tokens and so-called MFA bombing or MFA-fatigue attacks. Once inside a cloud environment, they often register their own device to maintain persistent access.
The NCSC has recommended several mitigation strategies for organizations. These include the use of multifactor authentication where possible, strong passwords for service accounts, and limiting the session lifetimes of authentication tokens. They also advise adhering to the principle of least privilege for service accounts and ensuring that device enrollment policies do not allow unauthorized devices.
Finally, organizations are urged to create “canary service accounts,” which appear valid but are never used. Any activity on these accounts would indicate unauthorized access and require immediate investigation.
The evolving tactics of groups like Midnight Blizzard underscore the critical importance of cybersecurity services in today’s digital landscape. Organizations must remain vigilant, proactive and adaptive in their cybersecurity efforts to effectively combat such threats.
