Russia's 'Midnight Blizzard' Targets Service Accounts for Initial Cloud Access

"Midnight Blizzard," the threat group affiliated with Russian intelligence services (SVR) and the entity behind the attacks on SolarWinds and organizations like Microsoft and HPE, is leveraging automated cloud services accounts and dormant accounts to access cloud environments at target organizations.

The attacks mark a significant shift in tactics for the threat actor (also known as APT29, Cozy Bear, and Dukes) as it adapts to the growing adoption of cloud services by organizations in sectors it has targeted traditionally.

A Significant Shift

In an advisory Monday, the UK's National Cyber Security Center (NCSC), in collaboration with the US Cybersecurity and Infrastructure Security Agency (CISA) and their counterparts in other countries, warned of the shift in Midnight Blizzard's tactics and the need for organizations to prevent the threat actor from gaining initial access to their cloud environments.

"For organizations that have moved to cloud infrastructure, a first line of defense against an actor such as SVR should be to protect against SVR's TTPs for initial access," the advisory noted, while recommending mitigations against the threat.

The US and others have tied Midnight Blizzard with a high degree of confidence to Russia's SVR, a threat actor that has been active since at least 2009. Initially the group garnered attention for its intelligence-gathering attacks against government agencies, think tanks, and organizations in healthcare and energy. In recent years, and especially since its SolarWinds attack, Midnight Blizzard has targeted numerous other organizations including those in the software supply chain, healthcare research, law enforcement, aviation, and military industries. Recently Microsoft and HPE blamed the threat actor for breaking into their respective corporate email environments and accessing emails belonging to senior leadership and key personnel.

In many of its previous attacks, Midnight Blizzard has exploited software vulnerabilities and other network weaknesses to gain initial access to a target organization's on-premises IT infrastructure. But with many of its targets shifting to cloud-native and cloud-hosted environments, the threat actor has been forced to pivot and target cloud services as well. "To access the majority of the victims' cloud hosted network, actors must first successfully authenticate to the cloud provider," the NCSC said.

Targeting Service and Dormant Accounts

One common tactic that Midnight Blizzard has employed to achieve that goal is to use brute-force guessing and password spraying attacks to gain access to cloud service accounts. These are typically automated, non-human accounts for managing cloud applications and services. Such accounts cannot be easily protected via two-factor authentication mechanisms and are therefore more susceptible to a successful compromise and takeover, the NCSC said.

But there's another issue that makes threat actor takeover of these accounts especially problematic. "Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations," the NCSC warned. In many of these attacks, the threat actors used legitimate residential IP addresses to launch their password spray attacks, making it hard for defenders to spot the activity for what it was.

Another tactic that Midnight Blizzard has used to gain initial access to a target cloud environment is to leverage dormant accounts belonging to users who may no longer be working at a victim organization, but whose account might remain on the system, the advisory noted. On occasion, the threat actor has regained access to a network from which it might have been booted out by logging into inactive accounts and following instructions to reset the password.

Abusing Authentication Tokens

Other tactics that Midnight Blizzard has used for initial cloud access include using illegally obtained OAuth tokens to access victim accounts — and maintain persistence — without requiring a password, as well as using so-called MFA bombing or MFA-fatigue attacks to get victims to authenticate them to a target account. Once the threat actor has gained access to a cloud environment, they have often registered their own device on it to gain persistent access.

To mitigate the threat, organizations should use multifactor authentication where they can, to reduce the impact of a password compromise, the NCSC said. In situations where it might be difficult to use a second authentication factor, organizations should create strong passwords for protecting service accounts. The NCSC also recommended that organizations implement the principle of least privilege for service accounts to limit what an attacker could potentially do by misusing one.

In addition, the advisory advocated keeping the session lifetimes of authentication tokens as "short as practical" to limit what the threat actor could do with a stolen token and making sure that device enrollment policies do not permit registration of unauthorized devices in the cloud environment.

"Canary service accounts should be created which appear to be valid service accounts but are never used by legitimate services," the advisory said. Misuse of such accounts is a clear sign of unauthorized access that needs immediate investigation.