APT29 — operated by Russia’s Foreign Intelligence Service (SVR) and tracked by Microsoft as Midnight Blizzard — has adapted its approach from direct government network intrusion to targeting the vendors and service providers that have privileged access to those networks. The shift reflects a mature response to improved government network defences: if the primary target is hardened, approach it through a trusted supplier.
The Supply Chain Pivot
The technique pattern builds on what APT29 demonstrated at scale with SolarWinds in 2020 and against Microsoft’s own corporate systems in early 2024. In both cases, the actor established access in a trusted organisation with broad downstream connectivity, then used that access to reach the real targets — US government agencies in the SolarWinds case, Microsoft customer environments in 2024.
In current operations against UK and European government supply chains, the observed approach involves:
OAuth application abuse. APT29 is registering or compromising OAuth applications with excessive permissions in cloud environments (Microsoft 365 and Entra ID tenants) belonging to IT service providers. A compromised third-party OAuth app with Mail.ReadWrite and full_access_as_app grants does not require MFA bypass — the token is already privileged.
Dormant account reactivation. Former employees of government IT suppliers, whose accounts remain active in cloud directories, have been targeted for credential compromise. A dormant account with legacy access permissions is a lower-profile entry point than a current employee.
Residential proxy networks. To blend access with legitimate geographic and ISP patterns, APT29 is routing activity through residential proxy infrastructure — the same operational security pattern used by Volt Typhoon for similar detection-evasion purposes.
Microsoft Tenant Compromise Implications
The January 2024 disclosure that APT29 had accessed Microsoft senior leadership email accounts had specific government implications beyond the immediate disclosure: APT29 was searching for correspondence related to what Microsoft knew about APT29. This represents an intelligence-collection operation designed to understand detection capability and law enforcement coordination — a sophisticated form of counter-intelligence using corporate email as the collection mechanism.
UK government departments that rely on Microsoft 365 for email and that have worked with NCSC or law enforcement on APT29-related threat intelligence should review their post-January 2024 activity for indicators of similar access.
Recommended Actions
- Audit OAuth application permissions in your Entra ID / M365 tenant. Third-party apps with excessive Microsoft Graph permissions represent an attack surface that credential-based controls do not adequately address. Review and restrict.
- Identify and disable dormant supplier accounts. Former contractor and service provider accounts that retain directory presence should be identified and disabled as standard offboarding hygiene.
- Enable Conditional Access policies for service accounts. OAuth application sign-ins from unusual locations or through proxy infrastructure can be identified and blocked through Conditional Access rules.
- Apply enhanced logging to cloud environments. APT29’s cloud operations produce distinct telemetry. Ensure audit logging is enabled for Entra ID sign-in events, OAuth grant activity, and application consent.