Mar 09, 2024NewsroomCyber Attack / Threat Intelligence

Microsoft on Friday revealed that the Kremlin-backed threat actor known as Midnight Blizzard (aka APT29 or Cozy Bear) managed to gain access to some of its source code repositories and internal systems following a hack that came to light in January 2024.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” the tech giant said.

“This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”

Redmond, which is continuing to investigate the extent of the breach, said the Russian state-sponsored threat actor is attempting to leverage the different types of secrets it found, including those that were shared between customers and Microsoft in email.

It, however, did not disclose what these secrets were or the scale of the compromise, although it said it has directly reached out to impacted customers. It’s not clear what source code was accessed.

Stating that it has increased in its security investments, Microsoft further noted that the adversary ramped up its password spray attacks by as much as 10-fold in February, compared to the “already large volume” observed in January.

“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” it said.

“It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”

The Microsoft breach is said to have taken place in November 2023, with Midnight Blizzard employing a password spray attack to successfully infiltrate a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) enabled.

The tech giant, in late January, revealed that APT29 had targeted other organizations by taking advantage of a diverse set of initial access methods ranging from stolen credentials to supply chain attacks.

Midnight Blizzard is considered part of Russia’s Foreign Intelligence Service (SVR). Active since at least 2008, the threat actor is one of the most prolific and sophisticated hacking groups, compromising high-profile targets such as SolarWinds.

Jan 08, 2024NewsroomCryptocurrency / Financial Crime

Threat actors affiliated with the Democratic People’s Republic of Korea (also known as North Korea) have plundered at least $600 million in cryptocurrency in 2023.

The DPRK “was responsible for almost a third of all funds stolen in crypto attacks last year, despite a 30% reduction from the USD 850 million haul in 2022,” blockchain analytics firm TRM Labs said last week.

“Hacks perpetrated by the DPRK were on average ten times as damaging as those not linked to North Korea.”

There are indications that additional breaches targeting the crypto sector towards the end of 2023 could push this figure higher to around $700 million.

The targeting of cryptocurrency companies is not new for North Korean state-sponsored actors, who have stolen about $3 billion since 2017.

These financially motivated attacks are seen as a crucial revenue-generation mechanism for the sanctions-hit nation, funding its weapons of mass destruction (WMD) and ballistic missile programs.

The intrusions leverage social engineering to lure targets and typically aim to compromise private keys and seed phrases – which are used to safeguard digital wallets – and then use them to gain unauthorized access to the victims’ assets and transfer them to wallets under the threat actor’s control.

“They are then swapped mostly for USDT or Tron and converted to hard currency using high-volume OTC brokers,” TRM Labs said.

The company further noted that DPRK hackers continued to explore other money laundering tools after the U.S. Treasury Department sanctioned a crypto mixer service known as Sinbad for processing a chunk of their proceeds, indicating constant evolution despite law enforcement pressure.

“With nearly USD 1.5 billion stolen in the past two years alone, North Korea’s hacking prowess demands continuous vigilance and innovation from business and governments,” TRM Labs said.