Tag Archives: Microsoft

2024, Cyberculture, Digital Security

Russian Cyberattack Microsoft: An Unprecedented Threat

Posted on by FMTAD
Cybersecurity theme with shield, padlock, and computer screen displaying warning signs, highlighting the Russian cyberattack on Microsoft.
01
Jul

Russian cyberattack on Microsoft by Midnight Blizzard (APT29) highlights the strategic risks to digital sovereignty. Discover how the group exploited password spraying, malicious OAuth applications, and legacy exposure — and the sovereign countermeasures offered by DataShielder and PassCypher.

Executive Summary — Midnight Blizzard (APT29) vs Microsoft

Reading note — Short on time? This Executive Summary gets you the essentials in 3 minutes. Full analysis: ≈15 minutes.

⚡ Objective

Understand how Midnight Blizzard (aka APT29, Cozy Bear) leveraged password spraying, malicious OAuth apps, and legacy exposure to access Microsoft’s internal email and escalate risks across tenants — and how sovereign HSM controls would have contained impact.

💥 Scope

Microsoft corporate mailboxes, executive communications, and internal collaboration workflows; spillover risk to customers and partners via token reuse and app-consent abuse.

🔑 Doctrine

APT29 favors low-noise, cloud-adjacent persistence without obvious malware. Defenders must harden identity (conditional access), monitor OAuth consent creation, rate-limit auth anomalies, and treat encrypted-egress analytics as first-class telemetry.

🌍 Strategic differentiator

Unlike cloud-only defenses, DataShielder & PassCypher adopt a zero cloud, zero disk, zero DOM posture with segmented-key HSM custody (NFC/PGP). Result ⮞ encrypted content remains unreadable even under mailbox compromise; credentials/OTP remain offline and non-replayable.

Technical Note

Reading time (summary): ≈ 3 minutes
Reading time (full): ≈ 15 minutes
Level: Cyberculture / Digital Security
Posture: Identity-first hardening, sovereign encryption (HSM)
Section: Digital Security
Language: FR · EN · CAT · ES
Editorial type: Chronicle
About the author: Jacques Gascuel — Inventor of Freemindtronic®, expert in sovereign HSM architectures, segmented keys (NFC/PGP), and offline, resilient communications.

TL;DR —
Midnight Blizzard (APT29) combined password spraying with malicious OAuth to access Microsoft internal mail. Even with rapid containment (SFI), token-based lateralization and app-consent persistence raised downstream risk. DataShielder keeps content end-to-end encrypted with volatile-memory decryption only; PassCypher stores credentials/OTP offline in HSM, defeating replay and loginless phishing sequences.

Russian Cyberattack Microsoft — Sovereign flow diagram showing identity hardening, OAuth monitoring, encrypted offline channels, and HSM custody with DataShielder and PassCypher
✺ Sovereign flow — Russian Cyberattack Microsoft: From Midnight Blizzard attack chain to identity & OAuth hardening, detection of anomalous consent/graph telemetry, then escalation to encrypted offline channels and segmented HSM custody with DataShielder & PassCypher, enabling proactive MITRE ATT&CK hunts.

Microsoft Admits Russian Cyberattack Was Worse Than Expected

Update context. On 12 January 2024, Microsoft detected unauthorized access linked to Midnight Blizzard (aka APT29 / NOBELIUM / Cozy Bear). Subsequent disclosures showed the breach was more extensive than first reported, including access to executive and security/legal mailboxes, large-scale password spraying, and malicious OAuth app abuse with token replay.

What changed vs. initial reports

  • Discovery of legacy account exposure used as the initial foothold, then pivot to internal email.
  • Evidence of token-based lateralization (OAuth consent misuse) across tenants and partners.
  • Tenfold increase in password-spray attempts in the weeks that followed, expanding downstream risk.

Why it matters

Midnight Blizzard is a state-sponsored actor assessed as part of Russia’s foreign-intelligence ecosystem, historically targeting governments, NGOs, and IT/service providers in the US and Europe. The campaign underscores how cloud-adjacent identity abuse (OAuth, tokens, legacy accounts) can bypass classical malware-centric defenses and compromise digital sovereignty at scale.

Freemindtronic Insight. This incident highlights the strategic value of sovereign encryption solutions like DataShielder NFC HSM and PGP HSM, which ensure that even compromised inboxes remain unreadable without physical access and multi-factor authentication.

Authoritative references

See Microsoft’s Secure Future Initiative (SFI), Microsoft’s incident communications on Midnight Blizzard (MSRC/On the Issues), and the U.S. CISA Emergency Directive ED-24-02 for official guidance and required mitigations.

This section is part of our in-depth coverage of the Russian Cyberattack Microsoft incident involving Midnight Blizzard.

Background & Technical Details — Russian Cyberattack Microsoft

⮞ Summary. Midnight Blizzard (APT29) exploited password spraying and malicious OAuth apps to infiltrate Microsoft. The intrusion chain combined legacy account exposure, weak consent monitoring, and stealthy cloud persistence — making it a benchmark case for sovereign cybersecurity doctrine.

The Russian Cyberattack Microsoft incident, orchestrated by Midnight Blizzard (APT29/Cozy Bear), revealed a sophisticated combination of password spraying at scale (CISA ED-24-02) and the abuse of malicious OAuth applications. By exploiting a legacy non-production account, attackers gained foothold into Microsoft’s corporate mailboxes, including executive and legal teams.

This operation mirrors past campaigns such as SolarWinds supply-chain compromise, but with a focus on cloud tokens and stealth persistence. The breach emphasized weaknesses in tenant isolation, consent governance, and token refresh lifecycles.

Technical analysis shows how Midnight Blizzard avoided traditional endpoint detections by staying cloud-adjacent: no heavy malware, only abused credentials and trusted OAuth flows. This approach drastically reduced IOC visibility and prolonged dwell time inside Microsoft systems.

Microsoft responded with its Secure Future Initiative (SFI), which prioritizes identity hardening, OAuth monitoring, and sovereign-aligned mitigations. Still, the attack highlights a systemic risk: when cloud identity is compromised, mailbox confidentiality collapses unless sovereign HSM solutions (DataShielder, PassCypher) are enforced.

Immediate Response from Microsoft

On January 12, 2024, Microsoft detected unauthorized access to its internal systems. The security team immediately activated a response process to investigate and mitigate the attack. Midnight Blizzard compromised a legacy non-production test account, gaining access to several internal email accounts, including those of senior executives and critical teams like cybersecurity and legal​.

Impact of Compromised Emails from the Russian Cyberattack

Midnight Blizzard managed to exfiltrate internal Microsoft emails, including sensitive information shared between the company and its clients. The attackers used this information to attempt access to other systems and increased the volume of password spray attacks by tenfold in February 2024. This led to an increased risk of compromise for Microsoft’s clients​.

Statistical Consequences of the Russian Cyberattack on Microsoft

  • Increase in Attacks: In February 2024, the volume of password spray attacks was ten times higher than in January 2024.
  • Multiple Targets: The compromised emails allowed Midnight Blizzard to target not only Microsoft but also its clients, thereby increasing the risk of compromise across various organizations.
  • Access to Internal Repositories: The attackers were able to access some source code repositories and internal systems, although no customer-facing systems were compromised​.

Statistical Consequences of the Russian Cyberattack on Microsoft

⮞ Summary. The Russian Cyberattack Microsoft triggered a tenfold surge in password-spray attempts, exposed executive mailboxes, and forced large-scale remediation. Official directives (CISA ED-24-02) confirm measurable systemic impact beyond Microsoft itself.

Analysis of the Midnight Blizzard (APT29) incident highlights the statistical footprint left on Microsoft and its ecosystem. According to CISA Emergency Directive ED-24-02, downstream exposure went far beyond initial intrusion:

  • 10× increase in password-spray attacks during February 2024 compared to January, escalating brute-force telemetry.
  • Multiple targets compromised: from Microsoft executive teams to strategic partners, amplifying the risk of supply-chain lateralization.
  • Internal repositories accessed: some source code and mailbox content exfiltrated — while Microsoft stressed that no customer-facing systems were breached.
  • Regulatory alert: U.S. federal agencies were ordered by CISA to reset credentials and secure Entra ID/Azure privileged authentication tools.

This statistical aftermath confirms the systemic risks of cloud-identity compromise: once OAuth tokens and mailbox credentials are stolen, propagation extends across tenants and partners. Without sovereign HSM custody (DataShielder & PassCypher), organizations remain exposed to credential replay and stealth exfiltration.

Ongoing Escalation & Data Reuse — Russian Cyberattack Microsoft

⮞ Summary. Post-breach monitoring revealed that Midnight Blizzard (APT29) continued to reuse exfiltrated data, OAuth tokens and stolen credentials. The Russian Cyberattack Microsoft extended into follow-on phishing, token replay and cloud-persistence campaigns across multiple tenants.

After the January 2024 compromise, APT29/Midnight Blizzard did not stop at Microsoft’s initial remediation. Instead, the group weaponized data already stolen to sustain access and broaden espionage reach. According to CISA alerts and Microsoft’s own Secure Future Initiative (SFI), adversaries systematically:

  • Replayed OAuth tokens harvested from compromised accounts to bypass fresh credential resets.
  • Exfiltrated mail archives used to craft targeted spear-phishing campaigns against partners and governments.
  • Leveraged leaked correspondence to execute disinformation and hybrid-conflict narratives.
  • Expanded persistence through new malicious OAuth application consents, evading traditional MFA checks.

This escalation phase illustrates that the Russian Cyberattack Microsoft was not a one-time event but an ongoing campaign with iterative exploitation. For defenders, this confirms the need for sovereign cryptographic containment: while cloud identities can be replayed, DataShielder and PassCypher ensure that exfiltrated data remains undecipherable and credentials are non-replayable due to offline segmented-key HSM custody.

October 2024 RDP Spear-Phishing Campaign — Russian Cyberattack Microsoft

⮞ Summary. In October 2024, Midnight Blizzard (APT29) escalated the Russian Cyberattack Microsoft with a large spear-phishing wave delivering .RDP files. These attachments initiated covert remote desktop sessions, bypassing traditional email security and extending persistence.

On October 16, 2024, Microsoft confirmed that Midnight Blizzard actors were distributing .RDP attachments in targeted phishing campaigns. When opened, the files automatically launched remote desktop sessions to attacker-controlled infrastructure, effectively granting adversaries direct access to victim environments.

This new tactic leveraged trusted file types and signed components to evade standard email filters and sandboxing. The campaign primarily targeted government entities, NGOs, and IT providers in Europe and North America, aligning with APT29’s long-term espionage doctrine.

According to CISA alerts and ENISA threat bulletins, the malicious RDP sessions allowed attackers to:

  • Establish persistent remote control bypassing traditional login prompts.
  • Harvest additional credentials through Windows authentication requests inside the RDP session.
  • Deploy secondary payloads undetected by endpoint monitoring, as the activity was masked as legitimate remote access.

For defenders, this October 2024 escalation illustrates how Russian APTs adapt quickly, shifting from OAuth abuse to remote desktop weaponization. Without sovereign safeguards, even encrypted mail channels remain insufficient against file-based phishing vectors.

Here, DataShielder and PassCypher deliver layered resilience: offline decryption ensures malicious .RDP payloads cannot auto-open decrypted content, while HSM-segmented key custody prevents credential replay inside remote sessions.

Midnight Blizzard Threat Timeline (HC3) — Russian Cyberattack Microsoft

⮞ Summary. A June 2024 HC3 briefing outlined a multi-year evolution of Midnight Blizzard (APT29) tactics. The Russian Cyberattack Microsoft is a continuation of this timeline, showing a shift from classic phishing to OAuth persistence and cloud token exploitation.

The U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) published a June 2024 threat profile detailing APT29’s operational history. Key stages align with the escalation observed in the Russian Cyberattack Microsoft:

  • 2018–2020: Initial reliance on spear-phishing and credential harvesting, including campaigns against U.S. and European institutions.
  • 2020–2021: SolarWinds supply-chain compromise, marking APT29’s ability to exploit trusted third-party software ecosystems.
  • 2022–2023: Transition to cloud identity abuse, including malicious OAuth applications and stealthy persistence.
  • 2024: Large-scale escalation with Microsoft corporate mailbox compromise, password spraying at scale, and token replay — culminating in October spear-phishing via .RDP files.

According to CISA and ENISA, APT29 demonstrates a doctrine of hybrid conflict cyber-espionage: combining stealth persistence, identity abuse, and information operations. This timeline confirms the progressive escalation model of Midnight Blizzard campaigns.

Defensive takeaways: only sovereign HSM architectures (e.g., DataShielder, PassCypher) can neutralize token replay and ensure that exfiltrated data remains encrypted and non-exploitable across campaign phases.

Advanced Encryption and Security Solutions

Sovereign posture. Adopt end-to-end encryption with zero cloud, zero disk, zero DOM and segmented-key custody to make exfiltrated data cryptographically unusable under mailbox compromise.

To resist state-grade threats, organizations should enforce robust encryption with sovereign key custody. Technologies like
DataShielder NFC HSM, DataShielder HSM PGP, and DataShielder Auth NFC HSM encrypt emails and attachments end-to-end while keeping decryption keys offline inside an HSM (NFC/PGP).

If Midnight Blizzard had accessed an executive mailbox protected by DataShielder, message bodies and files would have remained unreadable. Decryption occurs only in volatile memory after physical HSM presence and multi-factor checks. This neutralizes token replay and limits the blast radius of OAuth or identity abuse.

Beyond confidentiality, the sovereign design simplifies incident response: keys are never hosted in the provider’s cloud, and credentials or OTPs managed with segmented keys are not replayable across OAuth/RDP sessions.

Global Reactions and Security Measures

This attack highlights the ongoing risks posed by well-funded state actors. In response, Microsoft launched the Secure Future Initiative (SFI). This initiative aims to strengthen the security of legacy systems and improve internal processes to defend against such cyber threats. The company has also adopted a transparent approach, quickly sharing details of the attack and closely collaborating with government agencies to mitigate risks​.

Microsoft’s Secure Future Initiative (SFI) aims to harden legacy infrastructure. In parallel, CISA and ENISA coordinate sectoral resilience guidance for critical operators.

Best Practices in Cybersecurity to Prevent Russian Cyberattacks

To protect against these threats, companies must adopt robust security measures. Multi-factor authentication and continuous system monitoring are crucial. Additionally, implementing regular security updates is essential. The CISA emergency directive ED 24-02 requires affected federal agencies to analyze the content of exfiltrated emails, reset compromised credentials, and secure authentication tools for privileged Azure accounts​ (CISA)​.

Beyond classical defenses, sovereign encryption and segmented HSM custody ensure that even if OAuth tokens or mailboxes are compromised, sensitive data remains cryptographically unusable.

Comparison with Other Cyberattacks

This attack is reminiscent of other major incidents, such as those against SolarWinds and Colonial Pipeline. These attacks demonstrate the evolving techniques of attackers and the importance of maintaining constant vigilance. Companies must be ready to respond quickly and communicate transparently with stakeholders to minimize damage and restore trust​.

See CISA SolarWinds advisory and Colonial Pipeline cyberattack report for context.

The Sovereign Takeaway — Russian Cyberattack Microsoft

⮞ Summary. The Russian Cyberattack Microsoft by Midnight Blizzard (APT29) illustrates how identity abuse, OAuth persistence, and hybrid operations converge to weaken global resilience.
Only a sovereign HSM posture — with DataShielder and PassCypher — ensures that exfiltrated data or stolen tokens remain cryptographically unusable.

This doctrine of zero cloud, zero disk, zero DOM with segmented HSM custody is what transforms a breach into a contained incident rather than a systemic crisis. It marks the line between conventional cloud security and sovereign cryptographic resilience.

Further Reading: For extended analysis, see our chronicle on the Midnight Blizzard cyberattack against Microsoft & HPE, authored by Jacques Gascuel.

Strategic Aftermath — Outlook beyond the Russian Cyberattack Microsoft

⮞ Summary. Beyond incident response, organizations must assume that identity- and token-based compromise will recur.
A sovereign posture treats cloud identity as ephemeral and sensitive content as persistently encrypted under offline HSM custody.

In the wake of the Russian Cyberattack Microsoft, three shifts are non-negotiable. First, identity becomes telemetry-driven: conditional access, consent creation, and token lifecycles are continuously scored, not merely logged. Second, communications become sovereign by default: message bodies and files remain unreadable without physical HSM presence, even if mailboxes are accessed. Third, credentials and OTPs leave the cloud: segmented-key custody prevents reuse across OAuth, Graph, or RDP flows.

  • Containment by design — Enforce zero cloud, zero disk, zero DOM decryption paths; treat tokens as hostile until proven otherwise.
  • Operational continuity — Maintain an out-of-band sovereign channel for IR, so investigations never depend on compromised tenants.
  • Partner hygiene — Require OAuth consent baselines and cross-tenant anomaly sharing; audit refresh-token lifetimes.

Practically, this outlook translates into DataShielder for end-to-end content encryption with volatile-memory decryption, and PassCypher for offline credential custody and non-replayable OTP. Together, they narrow the blast radius of future APT29-style campaigns while preserving mission continuity.

Real-world sovereign use case — Russian Cyberattack Microsoft (executive mailbox compromised)

  1. During the Russian Cyberattack Microsoft (Midnight Blizzard / APT29), an executive’s mailbox is accessed via token replay.
  2. Emails & attachments remain unreadable: content is end-to-end encrypted with DataShielder; decryption occurs only in volatile memory after NFC HSM presence.
  3. Credentials & OTP are never exposed: PassCypher stores them offline with segmented keys, preventing replay inside OAuth/RDP sessions.
  4. Operations continue seamlessly: an out-of-band sovereign channel maintains secure communications during incident response, with no cloud keys to rotate.
Russian Cyberattack Microsoft — APT29 token replay on executive mailbox stopped by DataShielder encryption and PassCypher sovereign HSM credentials
✪ Illustration — Russian Cyberattack Microsoft: Executive mailbox compromised by APT29 token replay, contained by DataShielder sovereign encryption and PassCypher offline HSM custody.

Related links — Russian APT actors

Weak Signals — Trends to Watch Beyond the Russian Cyberattack Microsoft

These evolutions are consistent with the Russian hybrid warfare doctrine, where cyber-espionage (APT29) and influence operations converge to destabilize strategic sectors.

⮞ Summary. The Russian Cyberattack Microsoft highlights systemic risks. Weak signals suggest APT29 and affiliated Russian actors will expand beyond OAuth abuse, experimenting with AI-driven phishing, encrypted command channels, and regulatory blind spots.

Looking ahead, the aftermath of the Midnight Blizzard (APT29) intrusion offers insights into future trends in Russian cyber-espionage:

  • AI-augmented spear-phishing: Generative AI may increase the credibility and linguistic adaptation of phishing lures, complicating detection (ENISA reports).
  • Encrypted C2 channels inside cloud apps: Expect wider abuse of collaboration platforms (Teams, SharePoint) with end-to-end encrypted exfiltration masquerading as normal traffic.
  • OAuth & token lifecycle attacks: Beyond classic consent abuse, attackers may pivot to refresh token manipulation and multi-cloud federation exploits.
  • Hybrid conflict synchronization: Cyber intrusions paired with influence campaigns targeting elections, energy policy, and EU institutional trust.
  • Regulatory misalignment: While frameworks such as EU CRA and NIS2 strengthen defenses, uneven adoption leaves OIV/OES with exploitable gaps.

These signals reinforce the necessity of sovereign cryptographic architectures. With DataShielder and PassCypher, organizations can enforce offline key segmentation, volatile-memory decryption, and encrypted egress control, making exfiltrated data strategically useless to adversaries.

2024, Digital Security

Midnight Blizzard Cyberattack Against Microsoft and HPE: What are the consequences?

Posted on by FMTAD
Digital world map showing cyberattack paths with Midnight Blizzard, Microsoft, HPE logos, email symbols, and password spray illustrations.
10
Mar

Discover Russian Tactics by Midnight Blizzard

Midnight Blizzard, supported by Russian strategy, targeted Microsoft and HPE, orchestrating sophisticated cyberattacks. We delve into the facts, consequences, and effective protective measures such as PassCypher and DataShielder to combat this type of espionage.

Stay informed in our posts dedicated to Digital Security to follow its evolution thanks to our regularly updated topics

Explore our digital security feature on the Midnight Blizzard cyberattack against Microsoft and HPE by Jacques Gascuel. Stay updated and secure with our insights.

Updated March 20, 2024

Midnight Blizzard Cyberattack against Microsoft and HPE: A detailed analysis of the facts, the impacts and the lessons to learn

In 2023 and 2024, two IT giants, Microsoft and Hewlett Packard Enterprise (HPE), which has been using Microsoft 365 as its cloud messaging platform since 2017), fell victim to cyberattacks carried out by a hacker group linked to the Russian government. These attacks allowed hackers to gain access to the internal systems, source code, and sensitive data of companies and their customers. What are the facts, consequences and lessons to be learned from these incidents?

Update: Microsoft 365 Cyberattack Intensifies

Initial Underestimation: Researchers reveal the cyberattack on Microsoft 365 is far more severe than first anticipated.
APT Exploits Data: The APT group, orchestrating the attack, has leveraged exfiltrated data to delve deeper into Microsoft’s network.
Security Experts Raise Concerns: Security professionals express concerns over disjointed defense teams. They fear unidentified vulnerabilities may persist.
Microsoft’s Stance: Popular opinion suggests Microsoft is ‘caught off-guard’ against such sophisticated attacks.
Ongoing Efforts: Microsoft is now bolstering defenses, ensuring tighter coordination across security teams to address these challenges.

For more details, refer to the official Microsoft Security Response Center update.

How were the attacks carried out against Microsoft and HPE?

The attacks on Microsoft and HPE were carried out by the same hacker group, Midnight Blizzard, which is linked to the Russian government. The hackers used the same technique to infiltrate the networks of both companies: compromising Microsoft 365 email. This cloud-based messaging platform is used by many organizations to communicate and collaborate.

“Password Spray” Attack Method Against Microsoft and HPE

The compromise of Microsoft 365’s email and HPE’s email accounts was achieved through a simple but effective method known as “password spraying.” This technique, often used after a brute force attack, involves guessing a password by trying several combinations, usually from previous data breaches.

The hackers used this method to gain access to an old test account on Microsoft’s network. Once they gained access, they were able to infiltrate HPE’s email accounts.

“Password spraying” is a technique where hackers use common passwords to attempt to gain access to multiple accounts on the same domain. Using a list of commonly used weak passwords, a hacker can potentially gain access to hundreds of accounts in a single attack. This differs from “Credential Stuffing”, where a single set of credentials is used to attempt to access different accounts across multiple domains.

In the case of the Midnight Blizzard attack on Microsoft, the hacker group used a password spray attack to compromise a legacy non-productive test account and gain a foothold. They then used the account’s permissions to gain access to a very small percentage of Microsoft’s corporate email accounts, including members of the executive team and employees in cybersecurity, legal, and other functions. They managed to exfiltrate some emails and attached documents.

Once they gained access to email accounts, the hackers were able to exfiltrate sensitive data, such as emails, attachments, source code, and secrets.

Method of attack against Microsoft and HPE customers “phishing, malware or social engineering”

Midnight Blizzard also used this data to carry out subsequent attacks against Microsoft and HPE customers, using phishing, malware, or social engineering techniques.

Why were the attacks successful?

  • Hackers exploited security vulnerabilities such as the lack of multi-factor authentication, the persistence of legacy test accounts, or weak passwords.
  • The hackers acted in a discreet manner, using advanced and persistent techniques, such as encrypting communications, masking IP addresses, or imitating legitimate behavior.
  • The hackers were supported by the Russian government, which provided them with resources, information, and diplomatic protection.

Here’s a diagram that summarizes the steps to Microsoft 365 email compromise:

Microsoft 365 email compromise diagram

Diagram depicting the 'Midnight Blizzard' cyberattack against Microsoft and HPE using password spray tactics.

Stages of Microsoft’s Security Breach

Microsoft endured a multi-phase assault:

November 2023 saw the initial breach when attackers cracked an outdated test account via password spray attacks, cycling through many potential passwords.

By December, those intruders had penetrated select executive and security team email accounts, extracting sensitive emails and documents.

January 2024 brought Microsoft’s detection and countermeasures to thwart further unauthorized access. The company identified Midnight Blizzard, known by aliases such as APT29 and Cozy Bear, as the culprits.

Come March, it was disclosed that the invaders had also accessed Microsoft’s code repositories and internal systems, utilizing the stolen intel for subsequent assaults on Microsoft’s clientele, targeting to exploit vulnerabilities or clone functionalities.

The different consequences of this attack on Microsoft

Consequences for Microsoft and its customers

The attack had significant consequences for Microsoft and its customers. On the one hand, Microsoft had to tighten its security measures, notify affected customers, investigate the extent of the compromise, and restore trust in its services.

On the other hand, Microsoft’s customers faced the risk of being targeted by subsequent attacks using information stolen from Microsoft, such as secrets, source code, or sensitive data. Some customers may have suffered financial losses, reputational damage, or privacy breaches.

Geopolitical consequence

The attack also had geopolitical consequences, as it revealed the Russian government’s involvement in large-scale cyber espionage operations against Western interests. It has drawn condemnation from several countries, including the United States, the United Kingdom, France and Germany, which have called for a coordinated and proportionate response to the threat. It also reinforced the need to strengthen international cooperation on cybersecurity and to define common standards to prevent conflicts in cyberspace.

Steps to attack HPE

Midnight Blizzard executed the attack on HPE, leveraging Microsoft 365 email for entry—the platform HPE adopted in 2017.

Initially, in May 2023, the hackers infiltrated SharePoint, extracting a select set of files. Post-breach, HPE, alongside cybersecurity experts, promptly engaged in containment and recovery efforts.

Come December, new breaches surfaced; targeted mailboxes related to cybersecurity and business operations were compromised. These intrusions were suspected to be connected to the earlier SharePoint incident.

Finally, in January 2024, HPE disclosed the breach to the SEC, affirming the implementation of measures to remove the threat, alert impacted clients, gauge the breach’s scope, and reinstate service integrity.

The different consequences of this attack on HPE

First, the attack had similar consequences to the attack on Microsoft, but on a smaller scale.

Restoring trust in its services to their customersOn the one hand, HPE had to strengthen its security measures, inform affected customers, and restore trust in its services. HPE’s customers faced the risk of being targeted by subsequent attacks using information stolen from HPE, such as sensitive data.

Justify the lack of economic impact as a result of this attack

On the other hand, HPE stated that the incident did not have a material impact on its operations, financial condition or results of operations.

The similarities and differences between the two attacks

Both attacks were carried out by the same hacking group, Midnight Blizzard, which is linked to the Russian government. Both attacks used the same means of access, Microsoft 365 email, which is a cloud-based email platform used by many organizations. Both attacks allowed hackers to exfiltrate sensitive data, such as emails, attachments, source code, or secrets. Both attacks had consequences for the victim companies, their customers, and geopolitics.

There were also differences between the two attacks. The attack on Microsoft was longer, deeper, and more widespread than the attack on HPE. The attack on Microsoft lasted several months, while the attack on HPE lasted a few weeks. The attack on Microsoft allowed the attackers to gain access to the company’s source code repositories and internal systems, while the attack on HPE was limited to email and SharePoint files. The attack on Microsoft affected thousands of customers, while the attack on HPE did not specify how many customers were affected.

What types of data does Midnight Blizzard exfiltrate?

What types of data does Midnight Blizzard exfiltrate?

Midnight Blizzard is the name given to a group of cybercriminals who have carried out cyber attacks against Microsoft, HPE, and their customers. This group is also known as Nobelium, Cozy Bear, or APT29. It managed to break into these companies’ cloud email systems and steal sensitive data. Microsoft said that Midnight Blizzard also accessed some of its source code and internal systems, but that it did not compromise Microsoft-hosted client systems.

“In recent weeks, we have seen Midnight Blizzard [Nobelium] use information initially exfiltrated from our corporate email systems to obtain, or attempt to obtain, unauthorized access,” Microsoft said in a blog post. “This includes access to some of the company’s source code repositories and internal systems. To date, we have found no evidence that Microsoft-hosted client systems have been compromised.”

Midnight Blizzard Exfiltrated Data Category

The data exfiltrated by Midnight Blizzard can be grouped into three main categories:

Communication data

Communication data is data that relates to interactions between Microsoft and HPE employees, partners, or customers. They include emails, attachments, contacts, calendars, notes, or instant messages. This data may contain confidential, strategic or personal information, such as trade secrets, project plans, contracts, reports, opinions, identifiers. This data was exfiltrated at Microsoft and HPE.

Source code data

Source code data is data that relates to the development of Microsoft’s products or services. They include files, repositories, versions, comments, or tests related to the source code. This data may reveal technical, functional, or security information, such as algorithms, architectures, features, vulnerabilities, patches, or backdoors. This data was exfiltrated only at Microsoft.

Internal system data

Communication and internal system data is data that relates to the exchange and operation of Microsoft and HPE’s internal systems. This includes emails, attachments, contacts, calendars, notes, instant messages, files, configurations, logs, audits, or scans of internal systems. This data may contain confidential, strategic or personal information, such as trade secrets, project plans, contracts, reports, opinions, identifiers. This data can also provide information about the performance, security, or reliability of internal systems. This data was exfiltrated at Microsoft and HPE.

What are the estimated values of the data exfiltrated by Midnight Blizzard?

It is difficult to estimate the exact value of the data exfiltrated by Midnight Blizzard, as it depends on several factors, such as the quantity, quality, freshness, rarity, or usefulness of the data. However, an approximate range can be attempted based on official sources or existing studies.

HPE’s SEC filing indicates that the security incident’s repercussions on their operational, financial, or business performance were minimal. This suggests the exfiltrated data’s worth is on the lower end, possibly just a few thousand dollars. On the other hand, Microsoft’s annual report documents a staggering $168.1 billion in revenue for 2023, with $60.7 billion attributed to their cloud division. Such figures lead to the conclusion that the stolen data from Microsoft could be highly valuable, potentially in the millions. Further, the Ponemon Institute’s study reports the average data breach cost in 2023 at $4.24 million, the highest to date, encompassing various associated costs. These costs include activities like detection and response, as well as indirect losses like diminished productivity and tarnished reputation. Therefore, it stands to reason that the value of data taken from Microsoft and HPE’s customers is similarly high, potentially reaching tens of millions of dollars.

What are the potential consequences of the data exfiltrated by Midnight Blizzard?

The data exfiltrated by Midnight Blizzard can have serious potential consequences for the victim companies, their customers, and geopolitics. Here are a few examples:

  • Communication data can be used to carry out phishing, malware, or social engineering attacks, impersonating trusted individuals, exploiting security vulnerabilities, or manipulating emotions. These attacks can aim to steal other data, take control of systems, destroy or alter data, or extort ransoms.
  • Source code data can be used to discover and exploit vulnerabilities, to copy or modify functionality, to create competing products or services, or to infringe intellectual property. These actions may adversely affect the security, quality, innovation, or competitiveness of Microsoft or HPE products or services.
  • Internal system data may be used to understand and disrupt Microsoft or HPE’s operations, organization, or performance, to reveal sensitive or confidential information, to create false information or rumors, or to influence decisions or behaviors. These actions may damage the reputation, trust, satisfaction, or loyalty of Microsoft or HPE customers, partners, or employees.

How could PassCypher HSM have prevented the cyberattack on Microsoft and HPE?

The cyberattack on Microsoft and HPE used weak or reused passwords to access email accounts. PassCypher NFC HSM or PassCypher HSM PGP is a hardware-based password manager, which allows you to create and use strong, unique, and random passwords, without knowing, remembering, displaying, or entering them manually. It uses Freemindtronic’s EviCore HSM PGP or EviCore NFC HSM technology to communicate contactlessly with compatible devices, and has a complicated and complex random password generator with self-entropy control based on shannon mathematical calculation.

With PassCypher NFC HSM or PassCypher HSM PGP solutions, users can effectively protect themselves against password spray attacks quickly, easily, and even free of charge. This is because PassCypher HSM PGP is originally completely free. He presented for the first time in Marseille on 6-7 March 2024 at AccessSecurity at the PhosPhorus Technology stand, partner of Fullsecure Andorra.

How could DataShielder have protected email messages and email attachments from being exfiltrated by hackers?

As you read more in this article, the cyberattack against Microsoft and HPE exfiltrated communication data, such as emails, attachments, contacts, notes, or instant messages. DataShielder NFC HSM or DataShielder HSM PGP are solutions for encrypting post-quantum data via NFC HSM or HSM PGP. Users encrypt and decrypt their communication data, only from their HSMs via physically outsourced segmented keys from the IT or phone systems. It works without a server or database and without any dependency on the security of communication systems. Of course, without the need to connect to an online service, or entrust your encryption keys to a third party. They have a random AES-256 encryption key generator. In particular, it embeds Freemindtronic’s EviCypher technology, which also encrypts webmail such as Outlook. With DataShielder solutions, users can protect themselves from data exfiltration by hackers and ensure the confidentiality, integrity, and authenticity of their communications.

Recommendations to protect yourself from cyber threats

The cyberattacks against Microsoft and HPE show that cyber threats are real, growing, and sophisticated. They also show that businesses of all sizes, industries, and locations need to take cybersecurity seriously and adopt best practices to protect themselves effectively. Here are some recommendations:

  • Enable multi-factor authentication, which involves requiring two or more credentials to log in to an account, such as a password and a code sent via SMS or email. This helps reduce the risk of being compromised by a password spray attack.
  • Review account permissions, which determine access rights to company resources and data. This helps limit the risk of an attack spreading from a compromised account.
  • Monitor suspicious activity, which may indicate an attempted or successful attack, such as unusual logins, file changes, data transfers, or security alerts. This makes it possible to detect and stop an attack as early as possible.
  • Use security solutions that provide protection, detection, and response to cyber threats, such as antivirus, firewalls, intrusion detection and prevention systems, or monitoring and analytics services. This makes it possible to strengthen the security of the information system and to benefit from the expertise of cybersecurity professionals.
  • Educate users, who are often the weakest link in the security chain, and who can fall victim to phishing, malware, or social engineering. This includes training them in good cybersecurity practices, informing them of the risks and instructions to follow in the event of an incident, and encouraging them to adopt responsible and vigilant behavior.

In conclusion

In conclusion, Midnight Blizzard’s cyberattacks expose critical vulnerabilities in global tech infrastructure. Through these incidents, we learn the importance of robust security measures like PassCypher and DataShielder. Moving forward, adopting advanced defenses and staying informed are key to combating future threats. Let’s embrace these lessons and protect our digital world.

Sources:

2024, Articles, Compagny spying, Digital Security, Industrial spying, Military spying, News, Spying, Zero trust

KingsPawn A Spyware Targeting Civil Society

Posted on by FMTAD
KingsPawn A Spyware
16
Apr

 

KingsPawn from QuaDream Spyware Threat

KingsPawn, a spyware developed and sold by QuaDream based on digital offensive technology to governments. Its spyware, named Reign, uses zero-click exploits to infiltrate the mobile devices of civil society victims. In this article you will learn how QuaDream works, who its Cyber victims and customers have been, and how to protect yourself from this type of dangerous spyware

To learn more about the potential dangers of KingsPawn spyware, read “QuaDream: Spyware That Targets Civil Society.” Stay informed by browsing our constantly updated topics

How to Secure Your Data from QuaDream’s KingsPawn Spyware,” written by Jacques Gascuel, the innovator behind advanced sensitive data security and safety systems, provides priceless knowledge on the topic of data encryption and decryption. Are you prepared to enhance your comprehension of data protection?

QuaDream: KingsPawn spyware vendor shutting down in may 2023

QuaDream was a company that sold digital offensive technologies to governments. Its main product, Reign, was a spyware that used zero-click exploits to hack mobile devices. A few months after Pegasus, a similar spyware by NSO Group, Microsoft and Citizen Lab found QuaDream’s Reign / KingsPawn spyware and its victims worldwide.

However, in May 2023, QuaDream stopped its activitiesMay 2023, QuaDream stopped its activities, due to the Israeli government’s restrictions on its spyware export. QuaDream had developed other espionage technologies, such as ENDOFDAYS, that it sold to foreign governments, like Morocco, Saudi Arabia, Mexico, Ghana, Indonesia and Singapor.

QuaDream tried to sell its assets to other players, but the Israeli government blocked them It is unknown if the spyware KingsPawn is still active and used, or who controls it. Therefore, it is advised to be vigilant and protect your data with reliable security solutions.

How QuaDream’s Exploits KingsPawn her Spyware Work

According to Microsoft, QuaDream has an arsenal of exploits and malware that it calls KingsPawn. It includes a suspected exploit for iOS 14, named ENDOFDAYS, that seems to use invisible iCloud calendar invitations sent by the spyware operator to the victims. This exploit was deployed as a zero-day against iOS 14.4 and 14.4.2 versions, and maybe others.

The KingsPawn spyware is designed to exfiltrate data from the infected devices, such as contacts, messages, photos, videos, audio recordings, location data, browser information and app data. The malware communicates with command and control (C2) servers via encrypted protocols and uses evasion techniques to avoid detection.

How the KingsPawn spyware infects phones

The main infection vector of KingsPawn is the ENDOFDAYS exploit, which does not require any user interaction to execute. The spyware operator sends an invisible iCloud calendar invitation to the target’s phone number or email address. The invitation contains a malicious link that triggers the exploit when the phone processes the notification. The exploit then downloads and installs the KingsPawn malware on the device, without the user’s knowledge or consent.

The spyware operator can also use other methods to deliver the malicious link, such as phishing emails, SMS, social media messages, or fake websites. However, these methods require the user to click on the link, which reduces the chances of success.

KingsPawn Datasheet

The following table summarizes the main features and characteristics of the KingsPawn malware:

Feature Description
Name KingsPawn
Developer QuaDream
Platform iOS
Version 1.0
Size 2.5 MB
Permissions Full access to device data and functions
Capabilities Data exfiltration, audio recording, camera capture, location tracking, file search, keychain access, iCloud password generation, self-deletion
Communication Encrypted TCP and UDP protocols
C2 servers Multiple domains and IP addresses, some located in Israel, Bulgaria, Czech Republic, Hungary, Ghana, Mexico, Romania, Singapore, UAE, and Uzbekistan
Victims At least five civil society actors, including journalists, political opponents, and an NGO worker, in North America, Central Asia, Southeast Asia, Europe, and the Middle East
Customers Several governments, some with poor human rights records, such as Singapore, Saudi Arabia, Mexico, Ghana, Indonesia, and Morocco

How to Detect KingsPawn

KingsPawn is a stealthy and sophisticated malware that can evade most antivirus and security software. However, there are some signs and symptoms that can indicate a possible infection, such as:

  • Unusual battery drain or overheating of the device
  • Increased data usage or network activity
  • Unexpected pop-ups or notifications
  • Changes in device settings or behavior
  • Presence of unknown apps or files

If you notice any of these signs, you should scan your device with a reliable antivirus or security app, such as Malwarebytes or Norton. These apps can detect and remove KingsPawn and other malicious software from your device.

How to Protect Against KingsPawn

If you suspect that your device is infected by KingsPawn, you should take the following steps to remove it and protect your data:

  • Disconnect your device from the internet and any other networks
  • Backup your important data to a secure external storage
  • Perform a factory reset of your device to erase all data and settings
  • Restore your device from a clean backup or set it up as a new device
  • Update your device to the latest version of iOS and install security patches
  • Change your passwords and enable two-factor authentication for your online accounts
  • Avoid clicking on suspicious links or opening attachments from unknown sources
  • Use a reputable antivirus or security app to scan your device regularly

These steps will help you to get rid of KingsPawn and prevent it from infecting your device again. However, you should also be aware of the risks of using unsecured email services, such as iCloud web mail, which can be compromised by hackers or spyware. To protect your emails and other sensitive data, you should use a technology that encrypts your data with a hardware security module (HSM), such as EviCypher NFC HSM or DataShielder HSM PGP.

Who Are the Victims and Customers of QuaDream?

Citizen Lab, a research lab at the University of Toronto, identified at least five civil society victims of the spyware and exploits of QuaDream in North America, Central Asia, Southeast Asia, Europe and the Middle East. The victims include journalists, political opponents and a worker of a non-governmental organization (NGO). Citizen Lab did not reveal the names of the victims for security reasons, but one of them agreed to share his testimony anonymously:

I was shocked when I learned that my phone was infected by QuaDream. I had no idea tat they were targeting me. I work for a human rights NGO and I have been involved in several campaigns to denounce the abuses of authoritarian regimes. I fear that they have accessed my personal and professional data, and that they have compromised my contacts and sources.

Citizen Lab also detected QuaDream servers operated from Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE) and Uzbekistan. These countries could be potential or current customers of QuaDream, which sells its Reign platform to governments for law enforcement purposes. Media reports indicate that QuaDream sold its products to Singapore, Saudi Arabia, Mexico and Ghana, and offered its services to Indonesia and Morocco.

What Is the Link Between QuaDream and InReach?

QuaDream had a partnership with a Cypriot company called InReach, with which it is currently in legal dispute. The two companies accused each other of fraud, theft of intellectual property and breach of contract. Several key people associated with both companies have previous links with another surveillance provider, Verint, as well as with Israeli intelligence agencies.

Microsoft and Citizen Lab shared information about QuaDream with their customers, industry partners and the public, to improve the collective knowledge of how PSOAs (private sector offensive actors) operate and how they facilitate the targeting and exploitation of civil society. Microsoft calls for stricter regulation of PSOAs and increased protection of human rights in cyberspace.

Conclusion

QuaDream is a new spyware vendor that poses a serious threat to civil society. Its spyware, named Reign, uses zero-click exploits to infiltrate the mobile devices of civil society victims. QuaDream has sold its products to several governments, some of which have a poor record of human rights. QuaDream is also involved in a legal dispute with another company, InReach, over the ownership of the spyware technology. The international community should be aware of the dangers of QuaDream and other PSOAs, and take action to prevent their abuse.