Jan 26, 2024 - Technology

SolarWinds hackers are making a comeback

Illustration of a hand in gloves and a winter jacket on a computer mouse

Illustration: Sarah Grillo/Axios

The Russian hackers behind the SolarWinds cyber espionage campaign are believed to have hacked several companies in recent months, Microsoft warned Thursday.

Driving the news: Microsoft said in a blog post that it has started notifying other organizations that it believes the Russian hacking group Midnight Blizzard targeted recently.

  • The company disclosed its own Midnight Blizzard breach last week, noting that the hackers exfiltrated information from executives' email accounts.
  • Hewlett Packard Enterprise also said in a securities filing published Wednesday that it suspects Midnight Blizzard broke into its cloud-based email system last month.

Why it matters: The recent string of attacks marks the return of a Russian group that security researchers have described as both sophisticated and opportunistic.

  • Midnight Blizzard is known to primarily target governments, diplomatic entities, NGOs and IT service providers in the U.S. and Europe.

The big picture: Midnight Blizzard — which also goes by the name APT29 or Cozy Bear — is the same group behind the 2020 SolarWinds hack and the 2015 hack of the Democratic National Committee, and the group is believed to be linked to Russia's main intelligence agency.

Between the lines: One of Midnight Blizzard's go-to tactics is password spraying, a basic technique in which attackers try the same password across multiple accounts.

  • Midnight Blizzard is also known to target email accounts belonging to high-profile organizations or individuals.
  • In 2021, Microsoft uncovered a scheme in which the group had taken over an email account tied to the U.S. Agency for International Development to target other agencies, think tanks and consultants.

Details: In the new blog post, Microsoft also said that Midnight Blizzard was able to access some of its employees' inboxes by exploiting a testing environment that didn't have multifactor authentication turned on.

  • The hackers attacked a "limited number of accounts using a low number of attempts to evade detection," per the blog post.
  • Midnight Blizzard also set up proxy infrastructure to route its traffic through various IP addresses, making it more difficult to identify them.

What we're watching: Microsoft has yet to say how many organizations — or even what kinds of companies — it's notifying about similar Midnight Blizzard intrusions.

Go deeper