Software giant Microsoft has made an urgent public announcement that the Russian secret service is currently sending thousands of weaponized spear-phishing emails to key individuals in over 100 organizations in countries including the US and the UK.
According to Microsoft: “The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS)… In some of the lures, the actor attempted to add credibility to their malicious messages by impersonating Microsoft employees.”
The phishing emails also use genuine email addresses belonging to legitimate organizations that were stolen during previous cyber thefts. So far, they have mainly been sent to individuals in government, academia, defense, non-governmental organizations, and other sectors.
The group responsible is a Russian threat actor known as Midnight Blizzard sometimes referred to as APT29 or Cozy Bear. The United States and United Kingdom governments believe that Midnight Blizzard is a front for the Foreign Intelligence Service of the Russian Federation, also known as the SVR. It is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the US and Europe. Its focus is believed to be to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018.
However, companies whose activities fall outside the categories so far targeted by Midnight Blizzard must also heed Microsoft’s urgent warning. The Russian threat actor is reported to be using supply-chain attacks to breach targeted organizations. In compromising suppliers to its target organizations, Midnight Blizzard is extending its net to include all types of service providers.
Russia has a long history of blackmailing individuals
Nor should executives believe that their organizations are not at risk if they do not possess the kind of state secrets and restricted data that the Russian secret service is after. Individuals working for companies supplying target organizations or who may have contacts within those organizations may also find themselves becoming targets. The SVR has a long history of compromising and blackmailing unsuspecting individuals in order to pressure them into performing tasks designed to breach their own and other organizations’ security.
The sudden escalation in the kind of attacks currently being orchestrated by Midnight Blizzard is likely to be the result of the Russians using artificial intelligence (AI) software to carry out spear-phishing and account compromise attacks on a much greater scale than they could previously. Social engineering, the practice of carrying out detailed research on target-individuals regarding their online presence and participation in social networks etc, can now be automated, as can the sending out of convincingly-crafted messages appearing to come from trusted sources.
All organizations, particularly those with even the remotest connections to the Russian secret service’s target sectors in the West, must now double down on educating staff about the dangers of opening links in emails that do not come from a verified source. Organizations that have not already done so should also consider employing a ‘Zero Trust’ model, where incoming emails and messaging must always go through a verification process before they are opened.
