A cyberespionage attacks levied by Cozy Bear is seen backed by Russian cyberespionage group backed by the Russian government.
Cozy Bear targets Microsoft 365 accounts in NATO countries. It continued to conceal the methods of attacking their targets from analysts, preventing their discovery and exposure.
There is a feature known as Purview Audit. Users of a higher-level license of Microsoft 365 are entitled to use. The following information is logged each time an email is accessed independently of an enabled program:-
- User agents
- IP addresses
Hackers disable the Purview Audit feature on a compromised account before opening the mail folder of a targeted user to evade audits. It also enables users to self-enroll in Azure AD for MFA using a form provided by Azure.
The Russian hackers traversed the domain and enrolled their devices with MFA using brute force attacks on usernames and passwords.
The APT group uses compromised accounts to be able to use Azure Virtual Machines as part of their strategy to hide their tracks. By mixing malicious activity with legitimate Azure AD admin activity, APT29 further obfuscates its intentions.
It is believed that they have started collecting emails from targeted mailboxes in the tenant by using the account with ApplicationImpersonation rights and backdooring a service principal.
Whether these subscriptions were purchased or compromised by nation-state actors is unclear. Russian hacking group Cozy Bear is among the most skilled in the world.
Eventhough operational security standards is in place, Cozy Bear has developed its technical tradecraft in recent years.