APT28 Mounts Rapid, Large-Scale Theft of Office 365 Logins

apt28 office 365 credential harvesting

The Russia-linked threat group is harvesting credentials for Microsoft’s cloud offering, and targeting mainly election-related organizations.

The Russia-linked threat group known as APT28 has changed up its tactics to include Office 365 password-cracking and credential-harvesting.

Microsoft researchers have tied APT28 (a.k.a. Strontium, Sofacy or Fancy Bear) to this newly uncovered pattern of O365 activity, which began in April and is ongoing. The attacks have been aimed mainly at U.S. and U.K. organizations directly involved in political elections.

The APT often works to obtain valid credentials in order to mount espionage campaigns or move laterally through networks – in fact, Microsoft telemetry shows that the group launched credential-harvesting attacks against tens of thousands of accounts at more than 200 organizations between last September and June. Between August 18 and September 3, the group (unsuccessfully) targeted 6,912 O365 accounts belonging to 28 organizations.

Threatpost Webinar Promo Bug Bounty

Click to Register

“Not all the targeted organizations were election-related,” the firm explained, in a blog posted on Friday. “However, we felt it important to highlight a potential emerging threat to the 2020 U.S. Presidential Election and future electoral contests in the U.K.”

The activity dovetails with other recent Microsoft findings that, just months before the U.S. presidential election, hackers from Russia, China and Iran are ramping up phishing and malware attacks against campaign staffers. It should be noted that APT28 is widely seen as responsible for election-meddling in 2016 and the attack on the Democratic National Committee (including by the U.S. government).

Raking in a Fall “Harvest”

While APT28 relied heavily upon spear-phishing in its credential harvesting efforts going into the 2016 Presidential Election, this time around it’s turning to brute-forcing and password-spraying.

“This shift in tactics, also made by several other nation-state actors, allows them to execute large-scale credential-harvesting operations in a more anonymized manner,” according to Microsoft. “The tooling Strontium is using routes its authentication attempts through a pool of approximately 1,100 IPs, the majority associated with the Tor anonymizing service.”

This pool of infrastructure — the “tooling” — is quite fluid and dynamic, according to the research, with an average of approximately 20 IPs added and removed from it per day. The attacks utilized a daily average of 1,294 IPs associated with 536 netblocks and 273 ASNs; and, organizations typically see more than 300 authentication attempts per hour per targeted account over the course of several hours or days.

“Strontium’s tooling alternates its authentication attempts amongst this pool of IPs approximately once per second,” Microsoft researchers said. “Considering the breadth and speed of this technique, it seems likely that Strontium has adapted its tooling to use an anonymizer service to obfuscate its activity, evade tracking and avoid attribution.”

APT28 has also been observed using password-spraying – a slight twist on the high-volume brute-forcing efforts described above.

“The tooling attempts username/password combinations in a ‘low-‘n-slow’ manner,” explained Microsoft researchers. “Organizations targeted by the tooling running in this mode typically see approximately four authentication attempts per hour per targeted account over the course of several days or weeks, with nearly every attempt originating from a different IP address.”

Activity overview. Source: Microsoft

Overall, organizations targeted by these attacks saw widespread authentication attempts throughout their footprints, with an average of 20 percent of total accounts suffering an attack.

“In some instances…the tooling may have discovered these accounts simply by attempting authentications against a large number of possible account names until it found ones that were valid,” according to the computing giant.

APT28 — believed to be tied to Russian military intelligence — has attacked more than 200 organizations this year, including political campaigns, advocacy groups, parties and political consultants, Microsoft noted. These include think-tanks such as The German Marshall Fund of the United States, The European People’s Party, and various U.S.-based consultants serving Republicans and Democrats. Organizations and individuals can protect themselves by applying multifactor authentication (MFA) and actively monitoring for failed authentications for the cloud service.

“There are some very simple steps businesses and targeted individuals can take to significantly improve the security of their accounts and make these types of attacks much more difficult,” Microsoft noted.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.


Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.