Five Eyes Warn on Russian SVR Cloud Intrusions — May 7, 2024
CISA and allied agencies detailed how Midnight Blizzard compromises cloud identity and M365 tenants using password spray and token theft.
Executive briefing: On the United States, United Kingdom, Canada, Australia, and New Zealand released joint Cybersecurity Advisory AA24-131A on Russian Foreign Intelligence Service (SVR) actor Midnight Blizzard, also tracked as APT29. The alert documents how the group is adapting cloud tradecraft to steal Microsoft 365 data and maintain persistence.
Key tradecraft updates
- Password spray paired with residential proxies. Midnight Blizzard rotates through massive username lists while hiding origin infrastructure, evading rate limits and geoblocking.
- Token replay and OAuth abuse. Stolen session tokens, Azure app registrations, and legacy authentication flows let the actor bypass MFA and create backdoor accounts.
- Expansive data theft. The SVR exfiltrates mailbox archives, Teams messages, SharePoint data, and source code repositories for follow-on intelligence operations.
Mitigation priorities
- Audit OAuth applications, service principals, and inactive tenants for suspicious consent grants or elevated privileges, revoking unused credentials immediately.
- Enable conditional access policies requiring phishing-resistant MFA, device compliance, and location checks on all privileged roles.
- Collect and retain Microsoft 365 Unified Audit Logs for at least 12 months to support hunting for unusual login patterns, mailbox exports, and role assignments.
Control alignment
- NIST CSF 2.0 PR.AA. Continuous identity governance and conditional access support the updated Protect-Aware outcomes for account management.
- CISA Cross-Sector Cybersecurity Performance Goals. The advisory maps to PG.6 (Credential Hygiene) and PG.9 (Remote Access), reinforcing baseline safeguards.
- ISO/IEC 27001 Annex A.5. Zero trust policies and log retention align with controls on identity management and event logging.