Since mid-2024, Kremlin-linked hacking teams have systematically purchased stolen usernames and passwords from cybercrime marketplaces, marking a strategic shift in Russian state-sponsored espionage operations.
Microsoft identified successful intrusions against telecommunications companies, defense contractors, digital services providers, healthcare organizations, and IT firms directly linked to this credential-purchasing strategy.
These infostealer markets function as cybercrime bazaars, offering login credentials harvested from global data breaches to the highest bidders. Russian intelligence groups, including GRU-affiliated units, utilize these purchased credentials as entry points for sophisticated espionage campaigns targeting high-value sectors across Western infrastructure.
The scope of these operations extends beyond traditional military targets, encompassing logistics networks, shipping companies, and transportation infrastructure. Humanitarian organizations supporting Ukraine relief efforts have become prime targets, with attackers seeking operational data including shipping manifests, aid distribution plans, and internal communications from NGOs operating in conflict zones.
Russian operators employ credential purchases to simplify initial network access, bypassing time-intensive brute-force techniques.
Once inside target networks, attackers manipulate mailbox permissions for persistent email collection, deploy Python scripts like Get-GPPPassword.py to extract plaintext passwords, and utilize voice phishing tactics to escalate privileges by impersonating IT personnel.
Persistence mechanisms include modifying folder permissions, enrolling compromised accounts in multi-factor authentication systems, and exploiting legacy authentication weaknesses. Attackers particularly target accounts exempted from MFA requirements, allowing broader access to user mailboxes and sensitive organizational data.
Operational security measures demonstrate sophisticated evasion capabilities. Russian groups employ “low and slow” password spraying techniques across large IP address ranges, including TOR networks and residential proxies, to mask attack origins.
Spoofed user agent strings simulate older mail clients, circumventing modern security controls designed to detect automated intrusion attempts.
Following successful lateral movement, attackers systematically delete event logs using wevtutil commands, erasing evidence of privilege escalation activities.
Permission modifications by compromised administrator accounts facilitate sustained access to multiple user mailboxes, enabling long-term intelligence collection operations.
This credential marketplace strategy represents a concerning evolution in state-sponsored cyber espionage, demonstrating how criminal infrastructure increasingly supports geopolitical intelligence objectives.
The financial impact of these attacks is devastating, with data breach costs averaging $4.35 million per incident and often forcing smaller businesses to close within months.
