New Mandiant research into the Russian hacker group APT29 behind the 2021 SolarWinds attack shows the attackers are adopting new tactics and continue to actively target Microsoft 365.
APT29 has also been observed re-targeting previous victims - particularly those with influence or close ties to NATO countries. This shows that the cyber criminals are persistent, aggressive and with a lot of dedication to further develop their technical skills.
Focus on operational safety
APT29 continues to demonstrate exceptional operational security and evasive tactics. In addition to using proxies in homes to obfuscate their recent access to victim environments, Mandiant has observed APT29 turning to Azure Virtual Machines. The virtual machines used by APT29 exist in Azure subscriptions outside of the victim organization.
Mandiant is not aware if these subscriptions were compromised or bought by APT29. Obtaining access to the last mile from trusted Microsoft IP addresses reduces the likelihood of detection. Because Microsoft 365 itself runs on Azure, the Azure AD sign-in and unified audit logs already contain many Microsoft IP addresses, and it can be difficult to quickly determine whether an IP address is associated with a malicious VM or a M365 backend service belongs.
Insights from Mandiant's research
- New tactics include disabling Purview Audit in Microsoft. The Purview Audit License is an important log source to determine if a cybercriminal is accessing a specific mailbox. By gaining access and disabling that license, APT29 allows the group to essentially erase any trace of their presence.
- Another tactic is exploiting the self-registration process for multi-factor authentication (MFA) in Azure Active Directory. After APT29 successfully launched a password-guessing attack against a list of mailboxes, the hackers were able to sign up for MFA with an inactive account. After registering, APT29 was able to use the account to access the company's VPN infrastructure.
Mandiant offers the full report on its English-language blog
More at Mandiant.com
About Mandiant Mandiant is a recognized leader in dynamic cyber defense, threat intelligence and incident response. With decades of experience on the cyber frontline, Mandiant helps organizations confidently and proactively defend against cyber threats and respond to attacks. Mandiant is now part of Google Cloud.