Midnight Blizzard

Threat Actor updated 3 days ago (2024-11-20T18:10:12.194Z)

Download STIX

Preview STIX

Midnight Blizzard, also known as APT29 and Cozy Bear, is a Russia-linked threat actor group believed to be tied to the country's Foreign Intelligence Service (SVR). The group has been implicated in several high-profile cyber attacks, including breaches of Microsoft and Hewlett Packard Enterprise (HPE) systems. The group leveraged information stolen from Microsoft's corporate email systems to gain access to the company's source code repositories and internal systems. Their tactics include password spray attacks and spear-phishing campaigns, often utilizing Remote Desktop Protocol (RDP) configuration files as a novel access vector. The cybersecurity community has noted Midnight Blizzard's innovative use of signed RDP files in its campaigns, allowing for quick, bidirectional connections with compromised devices. This strategy was particularly evident in a large-scale spear-phishing campaign that mimicked services like Microsoft, Amazon Web Services (AWS), and zero-trust themed emails. The group also exploited vulnerabilities in widely used networking and collaboration technologies from companies such as Fortinet, Pulse Secure, Citrix, and Zimbra to establish initial footholds on target networks. In response to these threats, Microsoft has released a list of indicators of compromise (IoCs) related to the new Midnight Blizzard campaign, including email sender domains, RDP files, and RDP remote computer domains. The alert from Microsoft followed an action by Amazon to take down domains mimicking its service after Midnight Blizzard targeted them with Ukrainian language phishing emails containing RDP configuration files. As Midnight Blizzard continues to pose a significant threat to organizations worldwide, it is crucial for entities to stay vigilant and adopt robust cybersecurity measures.

Description last updated: 2024-11-15T16:12:04.175Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT29 is a possible alias for Midnight Blizzard. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw	8
NOBELIUM is a possible alias for Midnight Blizzard. Nobelium, a Russia-linked Advanced Persistent Threat (APT) group, also known under various aliases such as APT29, SVR group, BlueBravo, Cozy Bear, Midnight Blizzard, and The Dukes, has been actively involved in large-scale cyber espionage campaigns. The threat actor has been targeting French diploma	6
Cozy Bear is a possible alias for Midnight Blizzard. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy	6
The Dukes is a possible alias for Midnight Blizzard. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor associated with the Russian government. The group has been active since at least 2008 and has targeted various governments, think tanks, diplomatic entities, and political parties. Notably, in Se	5
Bluebravo is a possible alias for Midnight Blizzard. BlueBravo, a threat actor linked to the Russia-based Advanced Persistent Threat (APT) group APT29, has been identified as a significant cyber threat. Also known by various other names such as SVR Group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes, this entity is suspected of conducting sev	3
Cozybear is a possible alias for Midnight Blizzard. CozyBear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian state. This group has been actively engaged in cyber operations against Ukraine and its allies and has been involved in several major breaches, including attacks on Okta, Dropbox, Department o	2
Svr is a possible alias for Midnight Blizzard. SVR, Russia's civilian foreign intelligence service and the successor organization to the KGB’s First Chief Directorate, has been conducting cyber espionage activities for years. Known in open source as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and the Dukes, SVR hackers have been spying on US,	2
UNC2452 is a possible alias for Midnight Blizzard. UNC2452, also known as Midnight Blizzard, Cozy Bear, APT29, and Nobelium, is a sophisticated threat actor responsible for several high-profile cyber attacks. The group gained notoriety in December 2020 when it compromised SolarWinds' supply chain, an event tracked by Mandiant, a leading cybersecurit	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

State Sponso...

Phishing

Apt

Blizzard

Russia

CISA

Proxy

Exploit

Email Accounts

France

Source

Zero Day

Vulnerability

Svr

Corporate

Lateral Move...

Zimbra

Espionage

Domains

Teamcity

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT28 Threat Actor is associated with Midnight Blizzard. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)	Unspecified	2

Source Document References

Information about the Midnight Blizzard Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	Week in review: Cybersecurity job openings, hackers use 1-day flaws to drop custom Linux malware
BankInfoSecurity	24 days ago	Microsoft Warns of Ongoing Russian Intelligence Campaign
DARKReading	8 days ago	CrowdStrike Spends to Boost Identity Threat Detection
CISA	22 days ago	Foreign Threat Actor Conducting Large-Scale Spear-Phishing Campaign with RDP Attachments \| CISA
DARKReading	24 days ago	'Midnight Blizzard' Targets Networks With Signed RDP Files
Securityaffairs	24 days ago	Russia-linked Midnight Blizzard APT targeted 100+ organizations with a spear-phishing campaign using RDP files
InfoSecurity-magazine	25 days ago	APT29 Spearphishing Campaign Targets Thousands with RDP Files
Securityaffairs	a month ago	Russia-linked group APT29 is targeting Zimbra and JetBrains TeamCity servers on a large scale
InfoSecurity-magazine	a month ago	Russia's SVR Targets Zimbra, TeamCity Servers for Cyber Espionage
DARKReading	2 months ago	Microsoft Trims Cloud Cyberattack Surface
DARKReading	3 months ago	Commercial Spyware Vendors Have a Copycat in Top Russian APT
Securityaffairs	3 months ago	Russia-linked APT29 reused iOS and Chrome exploits previously developed by NSO Group and Intellexa
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	3 months ago	Russian cyber spies stole data and emails from UK government systems
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
CERT-EU	10 months ago	Microsoft hack: Company says Russian group broke into its email system using a password ‘spray attack’ \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker
CERT-EU	9 months ago	Microsoft says Russian hacking group is still trying to crack its systems \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker
BankInfoSecurity	5 months ago	Russian State Hackers Target French Government for Espionage
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3