The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information.
Microsoft 365 is a cloud-based productivity suite predominately used by business and enterprise entities, facilitating collaboration, communication, data storage, email, office, and more.
Mandiant, who has been tracking the activities of Cozy Bear (aka APT29 and Nobelium), reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.
The researchers warn that the Russian group continues to demonstrate exceptional operational security to prevent analysts from discovering and exposing their attack methods.
In a report published today, Mandiant highlights some of APT29’s advanced tactics and some of their newest TTPs (tactics, techniques, and procedures).
Focusing on Microsoft 365
Microsoft 365 users on a higher-grade E5 license enjoy a security feature named “Purview Audit” (formerly Advanced Audit). When enabled, this feature logs user agents, IP addresses, timestamps, and usernames each time an email is accessed independently of the program (Outlook, browser, Graph API).
Stealthy network intruders like APT29 would rather not have their movements traced and logged. So to evade audits on compromised accounts, the hackers disable the Purview Audit feature on a targeted user before they even touch their mail folders.
“This is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure,” warns Mandiant in an APT 29 whitepaper.
“It is the only way to effectively determine access to a particular mailbox when the threat actor is using techniques like Application Impersonation or the Graph API.”
Mandiant’s second interesting finding is APT29 taking advantage of the self-enrollment process for multi-factor authentication (MFA) in Azure Active Directory (AD).
When users attempt to log in to a domain with self-enrollment policies for the first time, Windows will prompt them to enable MFA on the account.
The Russian hackers performed brute force attacks on usernames and passwords of accounts that had never logged into the domain and enrolled their devices in MFA.
Activating MFA fulfills the relevant security prerequisite for using the compromised organization’s VPN infrastructure, so APT29 is free to roam on the breached network.
Finally, Mandiant observed the threat group using Azure Virtual Machines via compromised accounts or by purchasing the service to hide their trace.
Azure VMs “contaminate” logs with Microsoft IP addresses, and since Microsoft 365 runs on Azure, it is tough for defenders to discern regular traffic from malicious actions.
APT29 further obfuscates its Azure AD admin activity by mixing malicious actions like backdooring services to collect emails with the addition of benign Application Address URLs.
APT29 is one of Russia’s most skillful hacking groups, and Mandiant’s recent findings underscore its high level of preparation and deep knowledge of the functions of targeted software.
In January 2022, CrowdStrike discovered that APT29 bypassed MFA steps in O365 accounts for years, using stolen browser cookies to hijack valid sessions.
In May 2022, Mandiant uncovered a wave of phishing campaigns orchestrated by the particular threat group, targeting governments, embassies, and high-ranking officials across Europe.
In July 2022, Palo Alto Networks analysts revealed APT29 abusing Google Drive and Dropbox cloud storage services for safer malware deployment and data exfiltration.