Midnight Blizzard Hack Group
Midnight Blizzard, also known as APT29, is a threat actor group suspected of being attributed to the Russian Foreign Intelligence Service (SVR). The first emergence of Midnight Blizzard operations occurred in 2008, when the first MiniDuke malware samples were compiled, according to Kaspersky. APT29 uses a wide range of advanced techniques to support the SVR's intelligence requirements in its cyber operations.
Midnight Blizzard has been involved in several high-profile intrusions, including the Office Monkeys campaign, which targeted a private research institute based in Washington DC in 2014, the Pentagon in 2015, the Democratic National Committee (DNC), and the U.S. He is suspected of attempting reconciliation. tanks in 2016, the Norwegian Government and various Dutch ministries in 2017. The group also targeted organizations linked to medical research in the education sector. It is highly likely that the group will target such institutions for espionage purposes, with the aim of leaking data on medical advances in the West.
Midnight Blizzard implements a wide range of specialized tools developed in various programming languages, demonstrating the resources at their disposal. The group also uses publicly traded commodity instruments such as Mimikatz and Cobalt Strike.
Targeted Sectors
Midnight Blizzard mainly targets organizations responsible for influencing the foreign policy of NATO countries. It has also been documented to focus on organizations across a variety of sectors, including education, energy, telecommunications, government, and military.
Threat Actor Motivations
Midnight Blizzard's motivations can be evaluated by observing the strategies they employ within the scope of their campaigns. The group is known for its interest in secret geopolitical data that will benefit the Russian state. Midnight Blizzard operates under the SVR, an intelligence agency with disruptive capabilities to conduct advanced cyberespionage operations. In this form, Midnight Blizzard acts with espionage motivations.
Threat Actor Activity Timeline
2014: Midnight Blizzard runs the 'Office Monkeys' campaign targeting a private research institute based in Washington DC
2015: Midnight Blizzard gained initial access to the Pentagon's network through phishing and introduced the 'Hammertoss' technique to use fake Twitter accounts for command and control (C2) communications.
2016: In a campaign known as 'GRIZZLY STEPPE', Midnight Blizzard breached DNC servers close to the US elections via a phishing campaign that directed victims to change their passwords using a fake website
2017: Targets the Norwegian Government and various Dutch ministries TLP Status
2019: Three EU National Affairs ministries and one EU nation-state's Washington DC-based embassy are compromised
2020: Vulnerability scanning of public IP addresses to compromise COVID-19 vaccine developers in Canada, US and UK
2020: Distributes SUNBURST malware and attacks SolarWinds Orion software, releasing a remote access trojan (RAT) affecting many global organizations
2023: Midnight Blizzard conducts targeted social engineering operations via Microsoft Teams
Associated Malware
PinchDuke: This was the first toolset widely attributed to Midnight Blizzard. The toolkit consists of multiple installers and a basic information stealing trojan. The malware collects system configuration information, steals user credentials, and collects user files from the compromised host, transferring them to a C2 server via HTTP(S). PinchDuke was reportedly used from November 2008 until the summer of 2010 and was observed in attacks against Chechnya, Turkey, Georgia, and several former Soviet states before switching to the CosmicDuke toolset in 2010.
CosmicDuke: The CosmicDuke toolkit is an information-stealing malware. It is enriched with a variety of components that toolset operators can incorporate into the main component to provide additional functionality, such as multiple methods of establishing persistence, as well as modules that attempt to exploit privilege escalation vulnerabilities. CosmicDuke was used from January 2010 through the summer of 2015 and was observed targeting a wide range of organizations, including the energy and telecommunications sectors, governments, and the military.
GeminiDuke: The GeminiDuke toolset consists of a base skimmer, an installer, and many persistence-related components. Unlike CosmicDuke and PinchDuke, it first collects information about the configuration of the target system. GeminiDuke was actively used from January 2009 to December 2012.
CozyDuke: CozyDuke is a modular malware platform built around a core backdoor component. It can be instructed by the C2 server to download and run optional modules, providing a wide range of functionality. In addition to modules, CozyDuke can also be instructed to download and run other standalone executables. In some cases observed, these executables were self-extracting archive files containing common hacking tools such as PSExec and Mimikatz, and were combined with scripts that run these tools. CozyDuke was used by Midnight Blizzard from January 2010 until spring 2015.
OnionDuke: The OnionDuke toolset includes at least a dropper, an installer, an information-stealing trojan, and multiple modular variants. OnionDuke was the only tool used by Midnight Blizzard that did not spread via phishing, but instead via a malicious Tor exit node. OnionDuke observed from February 2013 to spring 2015
SeaDuke: SeaDuke is a backdoor malware that focuses on executing commands received from the C2 server, such as uploading and downloading files, executing system commands, and evaluating additional Python code. SeaDuke was active from October 2014 to May 2016 and was observed during the Midnight Blizzard's DNC attack in 2015.
Hammertoss: Midnight Blizzard likely used Hammertoss as a backup for its two main backdoors to execute commands and maintain access in case the group's core toolset was discovered. Hammertoss was in use from at least January 2015 to July 2015.
CloudDuke: CloudDuke is a malware toolkit known to consist of at least a downloader, an installer, and two backdoor variants, including MiniDionis/Cloudlook. The CloudDuke downloader will download and run additional malware from a pre-configured location. CloudDuke was primarily used in the summer of 2015.
Cobalt Strike Beacon: In a phishing campaign linked to Midnight Blizzard in November 2018, the threat actor group used Cobalt Strike Beacon rather than any specific malware or toolset. Beacon data was structured with a modified variation of the publicly available "Pandora" Malleable C2 Profile and used the C2 domain
PowerDuke: PowerDuke was delivered to targets via emails containing a Microsoft Word or Excel file containing malicious macros. If successfully exploited, a PNG image is downloaded from the compromised web server and the PowerDuke trojan is hidden within the PNG images using steganography. PowerDuke was first seen in August 2016 and was used in the post-election spearphishing campaign of November 2016, the most recent operation widely attributed to Midnight Blizzard.
POSHSPY: POSHSPY is a backdoor that leverages PowerShell and Windows Management Instrumentation (WMI). Using the PowerShell payload means that only legitimate system processes are used and malicious code execution can only be identified through advanced logging or memory. POSHSPY has been active since at least early 2015.
IP Addresses Associated with Midnight Blizzard:
193[.]36[.]119[.]162
91[.]132[.]139[.]195
141[.]255[.]164[.]11
193[.]36[.]116[.]119
185[.]99[.]133[.]226
5[.]252[.]177[.]21
111[.]90[.]150[.]140
23[.]106[.]123[.]15
v.b
Midnight Blizzard Associated Domains:
avsvmcloud[.]com
literaturaelsalvador[.]com
signitivelogics[.]com
totalmassasje[.]no
2bdo5s70oc51vu3de3bvrq60eiw[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]co
v.b
A lot of people, including big companies, are being attacked lately. Untrustworthy links come from accounts of very reliable brands. Even if your mother, father, spouse or sibling sends you a link, make sure it is safe before clicking. Stay safe...
