Midnight Blizzard
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | Russia |
| Directly Linked Intrusion Sets | APT29 , NOBELIUM , Cozy Bear , The Dukes |
| Associated Threat Actor | SVR - Russian Foreign Intelligence Service |
Microsoft identied Midnight Blizzard as the attackers behind the 2020 attack against SolarWinds. The group have been linked to the APT29 intrusion set and Russia's SVR.
'Midnight Blizzard' was previously tracked by Microsoft as NOBELIUM.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Midnight Blizzard Threat Reports
Malicious Activities Linked to the Nobelium Intrusion Set
This report by ANSSI, the French 'Agence nationale de la sécurité des systèmes d'information', outlines activity against French diplomatic ...
Midnight Blizzard: Guidance for responders on nation-state attack
Following a compromise of Microsoft corporate systems by Midnight Blizzard which was detected on 12th January 2024, this blog post outlines ...
SVR cyber actors adapt tactics for initial cloud access
This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors ...
References
www.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110awww.microsoft.com
https://www.microsoft.com/en-us/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/www.ncsc.gov.uk
https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud-accesswww.microsoft.com
https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/www.cert.ssi.gouv.fr
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2024-CTI-006.pdfmsrc.microsoft.com
https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/learn.microsoft.com
https://learn.microsoft.com/en-gb/microsoft-365/security/intelligence/microsoft-threat-actor-namingMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1114.002 | Remote Email Collection | Collection |
| T1110.003 | Password Spraying | Credential Access |
| T1090.002 | External Proxy | Command and Control |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1110 | Brute Force | Credential Access |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1528 | Steal Application Access Token | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |