Microsoft has reported an alarm after a spear-phishing campaign, allegedly led by the cyber-threat group called Midnight Blizzard.
Identified earlier both by US and UK authorities who believed to be associated with Russian intelligence for conducting high-level cyber espionage, it started attacking since last week, Oct. 22.
Midnight Blizzard's Tactics and Targets
Across some parts of the US, Japan, Australia, and Europe, Microsoft said that the hackers were adept in utilizing highly crafted spear phishing emails against IT service providers, government agencies, and more, Endgadget reports.
The software maker said that the group, known by the names Midnight Blizzard, Cozy Bear, or APT29, has sent more than 10,000 spear-phishing emails to over 100 organizations.
Using an impressive scheme, the attackers try to make the recipient trust them by sending mail from addresses that had already been stolen from a prominent organization. In some emails, they masquerade them as being sent by people from Microsoft or Amazon Web Services, using social engineering on its victims.
The phishing emails contain a signed Remote Desktop Protocol attachment that leads to a server owned by Midnight Blizzard.
Opening it gives the attacker access to the device, any attached peripherals, network drives, and vital authentication credentials. This access leads to malware deployment, such as remote-access trojans, that can persist on the computer even after the original connection has dropped.
How Dangerous is the Midnight Blizzard Gang
This latest campaign becomes another example of Midnight Blizzard's persistent approach in targeting organizations located in Western countries, more particularly those with governmental, academic, and defense sector ties.
Though historically concentrated in the US and Europe, the recent activities of the group in Australia and Japan mark a wider scope geographically. As cyber espionage continues to rise, no sector and no region, according to Microsoft's study, is safe from these sophisticated targeted attacks.
The infamous Midnight Blizzard, previously alleged to be involved in the 2020 SolarWinds attacks, has a history of breaching high-value targets. The outfit breached hundreds of organizations worldwide in this incident and, earlier this year could access emails from senior Microsoft executives, compromising the communications between Microsoft and its clients.
While Microsoft hasn't confirmed a link with the up-on-the-line US Presidential Elections, the timing has all but sparked speculation over possible intentions beyond intelligence gathering.
Recommended Precautions Against Spear-Phishing Attacks
Bearing in mind the activity of Midnight Blizzard, Microsoft encourages organizations to be more cyber-prepared, especially those deemed at high risk. Some defensive measures against spear-phishing attacks are as follows:
- Employee Training: Educate teams to be very sensitive about phishing emails that may use the company's name or attachments named RDP.
- Multi-Factor Authentication (MFA): MFA might be seen as a crucial security layer and can block access in case passwords are lost.
- Monitor networks for anomalies such as unusual accesses or transfers of data indicating unauthorized access to the network. Implement continuous updates in systems and software with available patches for vulnerabilities cyber actors could use.
As more sophisticated groups such as Midnight Blizzard move the cyber threats, organizations need to be proactive in strengthening defenses against them.
From noticing unusual email behavior to educating staff about detecting phishing, everything counts for reducing the chances of the success of a breach.
