Midnight Blizzard
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | Russia |
| Directly Linked Intrusion Sets | APT29 , NOBELIUM , Cozy Bear , The Dukes |
| Associated Threat Actor | SVR - Russian Foreign Intelligence Service |
Microsoft identied Midnight Blizzard as the attackers behind the 2020 attack against SolarWinds. The group have been linked to the APT29 intrusion set and Russia's SVR.
'Midnight Blizzard' was previously tracked by Microsoft as NOBELIUM.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Midnight Blizzard Threat Reports
Report
Midnight Blizzard: Guidance for responders on nation-state attack
Following a compromise of Microsoft corporate systems by Midnight Blizzard which was detected on 12th January 2024, this blog post outlines ...
Report
SVR cyber actors adapt tactics for initial cloud access
This advisory from the UK's National Cyber Security Centre (NCSC) outlines tactics, techniques and procedures (TTPs) used by the cyber actors ...
References
www.microsoft.com
https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/www.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110awww.ncsc.gov.uk
https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud-accessmsrc.microsoft.com
https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/www.microsoft.com
https://www.microsoft.com/en-us/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/learn.microsoft.com
https://learn.microsoft.com/en-gb/microsoft-365/security/intelligence/microsoft-threat-actor-namingMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1114.002 | Remote Email Collection | Collection |
| T1110.003 | Password Spraying | Credential Access |
| T1090.002 | External Proxy | Command and Control |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1110 | Brute Force | Credential Access |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1528 | Steal Application Access Token | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |