Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Tactics for Battling Attacks by Russia's Midnight Blizzard

As Nation-State Group Hacks Big Targets, Trellix's John Fokker Details Defenses
John Fokker, head of threat intelligence, Trellix

If major technology vendors keep being hacked by nation-state hacking group Midnight Blizzard, what chance do other organizations have?

See Also: Case Study: Streamlining User Access Reviews

That depends on how closely security teams keep an eye on their cloud environments and the degree to which they use a zero trust approach and extensive logging, said John Fokker, head of threat intelligence at Trellix.

"Look for any tampering with the extensive logging for the Microsoft Outlook web services, as well as unauthorized accounts and any anomalies around login, for test accounts, zero trust authentication," he said. "If there's anything that is bypassing multi-=factor authentication, these are all red flags."

Numerous Western nations have tied Midnight Blizzard - aka APT29 and Cozy Bear - to Russia's Foreign Intelligence Service, the SVR. U.S. authorities also blamed the agency's hacking teams for infiltrating the source code of the Orion IT monitoring software built by SolarWinds, as well as for hits on Okta, HPE and Microsoft.

Fokker said the SVR continues to show a keen interest in hacking into organizations through their cloud estates. That's because many governments make ample use of cloud infrastructure and also because such intrusions can be difficult to detect. "The cloud stuff is complex, and at the same time it offers them a way in without using a lot of malware, which sets off a lot of security products; they're targeting just weaknesses in the system," he said.

In this video interview with Information Security Media Group, Fokker discussed:

  • Open questions about the Midnight Blizzard attacks on major technology firms;
  • Essential defenses that Trellix recommends for spotting Midnight Blizzard tactics;
  • Why logging remains so important yet too often underutilized.

Fokker leads Trellix's threat intelligence group, which empowers industry partners and global law enforcement efforts with 24/7 mission-critical insights into the threat landscape. He previously worked at the Dutch National High Tech Crime Unit, where he supervised numerous large-scale cybercrime investigations.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.