Microsoft has released an in-depth technical analysis of the recent hack by the Russian state-sponsored group Midnight Blizzard, also known as Nobelium. This follows Microsoft's initial report last week that the hackers had compromised some internal systems and accessed a small number of employee emails.
In a new blog post, Microsoft outlined the specific tactics, techniques, and procedures used by Midnight Blizzard throughout the multi-stage attack that occurred between November 2023 and January 2024.
According to Microsoft, the attack began with a password spray campaign that allowed the hackers to gain an initial foothold in a legacy non-production Microsoft tenant.
The hackers then created and modified OAuth apps to expand their access. OAuth is an authentication standard that allows apps to access data based on user permissions. By compromising existing apps and registering new malicious ones, Midnight Blizzard was able to impersonate authorized users and hide their activity.
Once embedded in the systems, the hackers abused their elevated privileges to target the email accounts of specific employees, including senior leaders. Microsoft said the hackers appeared focused on information related to Midnight Blizzard itself during this phase. Emails and documents were exfiltrated through calls to Microsoft Exchange via compromised OAuth apps.
Throughout the intrusion, Midnight Blizzard utilized residential proxy networks to mask the true source of the connections. By routing through IPs used by regular households, the hackers made the attack traffic blend in among legitimate user activity.
Based on the investigation so far, Microsoft maintains there is no evidence that Midnight Blizzard accessed any customer data, production systems, source code, or AI systems. The company continues information sharing and collaboration with law enforcement regarding the incident.
In order for other organizations to be able to defend themselves against the same approach, Microsoft recommends the following points-
- Auditing privileges and OAuth app permissions
- Implementing conditional access policies
- Resetting credentials after password sprays
- Monitoring unfamiliar sign-ins and risk detections
- Hunting for abuse of Exchange Web Services API
Microsoft stated it is accelerating efforts to enforce stringent security controls and zero-trust principles on legacy environments, even at the cost of some business disruption. The company acknowledged this philosophy shift is necessary in the face of advanced persistent threats like Midnight Blizzard.
The technical details provided by Microsoft offer invaluable insights that IT security teams can operationalize to harden defenses against nation-state hackers. While no single solution will stop sophisticated actors, collectively applying security best practices can significantly improve resilience.