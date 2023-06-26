Microsoft detected a sharp increase in credential-stealing attacks from the Russian-affiliated group Midnight Blizzard. The group is also known as Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes. The attackers used residential proxy services to hide the source IP address of the attacks. The group targeted governments, IT service companies, NGOs, and defense and critical industry companies.

Microsoft stated the attacks employed a variety of password spray, brute-force, and token theft methods to bypass authentication. APT29 also routed traffic using residential proxy services to complicate connections made using stolen credentials. These operations follow an increase in Russian-affiliated cyber activity since Ukraine was invaded last year. Recorded Future discovered an APT28 spear-phishing campaign that has targeted Ukrainian entities since 2021. The attacks were linked to another cyber campaign that exploited Microsoft Outlook CVE-2023-23397 against European organizations. CVE-2023-23397 was addressed by Microsoft in March 2023, and the company continues to monitor APT29 activity.

