ROADtools weaponised by Midnight Blizzard (APT29), Curious Serpens (APT33) and UTA0355 for Entra ID device registration, token theft and tenant enumeration

Unit 42 documents (2026-05-22) systematic nation-state operationalisation of ROADtools — the open-source Python Entra ID attack/defence framework hosted at github.com/dirkjanm/ROADtools — by three named clusters: Cloaked Ursa / Midnight Blizzard / APT29 / NOBELIUM (Russia), Curious Serpens / Peach Sandstorm / APT33 (Iran) and UTA0355 (Russian state-affiliated) (Unit 42, 2026-05-22). The chain begins with credential compromise (password spray or OAuth device-code phishing — see § 1 Kali365), then uses roadtx to register attacker-controlled devices in the victim's Entra ID tenant, establishing persistence via a Primary Refresh Token bound to a registered device. The roadrecon module performs systematic directory enumeration via legacy Azure AD Graph API calls — now also ported to the msgraph branch — targeting users, groups, service principals, application permissions and OAuth token grants.

MITRE ATT&CK techniques mapped explicitly by Unit 42: T1098.005 (Account Manipulation: Device Registration), T1550 (Use Alternate Authentication Material), and T1087 (Account Discovery via Microsoft Graph API). The device-PRT-binding step functionally bypasses tenant MFA — the brief leaves the explicit T1556.006 framing off since Unit 42 does not map it that way; defenders running custom ATT&CK overlays may want to add it themselves. Volexity's April 2025 OAuth device-code paper is the historical background for the device-code half of the chain. Detection vantage: monitor Entra ID audit logs for Add device events from unfamiliar device names or from IPs not in expected employee geographies; alert on sign-in logs carrying the roadtx user-agent string or unexpected https://login.microsoftonline.com/common/oauth2/token device-code grant flows; review Microsoft Graph Activity Logs for bulk GET /users, GET /groups and GET /servicePrincipals calls clustered by time. Hardening: enforce Conditional Access token-protection (token binding renders stolen tokens non-transferable across devices); restrict device registration to compliant or hybrid-joined devices only; enforce Privileged Access Workstation policy for admin token issuance; block Azure AD Graph via blockLegacyAuthentication. Midnight Blizzard has a documented pattern of targeting EU diplomatic corps and government Microsoft 365 tenants, so the relevance to Swiss federal and EU institution Entra estates is direct.

ESET's 2026-05-14 analysis of activity observed since March 2026 documents an evolved spearphishing chain: (1) malicious PDFs impersonating Ukrtelecom with embedded redirect links, (2) RAR archives delivering JavaScript PicassoLoader variants, (3) server-side victim geo-validation (serves benign PDF to non-Ukrainian IPs) with system fingerprinting every 10 minutes to determine Cobalt Strike eligibility, (4) persistence via scheduled tasks and registry modifications. The previous Polish-targeting wave exploited CVE-2024-42009 (Roundcube XSS) for credential harvesting; WinRAR CVE-2023-38831 also referenced in the toolchain. The Belarus-aligned actor cluster (UNC1151, UAC-0057, TA445, Storm-0257, Umbral Bison, White Lynx) targets governmental, industrial, healthcare, and logistics sectors. EU scope: Poland, Lithuania, and Ukraine confirmed; broader Eastern European public-sector exposure inferred (ESET WeLiveSecurity; The Hacker News; daily 2026-05-15).

No named EU victim disclosures this run. Status update from the W19 long-running record (item:apt28-apt29-unc1151): ESET's documentation of the geofencing and 10-minute fingerprinting cadence is new operational detail not present in the W19 ABW tri-attribution coverage. Detection: outbound connections to Canarytokens-style endpoints used for fingerprinting; scheduled-task creation with random GUIDs spawned from Office process trees (T1053.005); child processes of WinRAR or archive handlers executing JavaScript (T1059.007); PicassoLoader staging behaviours.

Five Polish municipal water-treatment facilities (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo) had their OT networks penetrated with pump control parameters modified; manual override at at least one site prevented service disruption (daily 2026-05-08). The ABW 2025 Annual Report (published 2026-05-07) formally attributed the campaign to APT28 (GRU) and APT29 (SVR), with UNC1151 (Belarusian-linked, Ghostwriter cluster) named in the same attribution discussion (SecurityWeek — Polish security agency reports ICS breaches at five water treatment plants · daily 2026-05-09 UPDATE) — materially more granular than the initial "pro-Russian hacktivist" framing. All five facilities were below the NIS2 essential-entity headcount threshold at intrusion time. Cross-cutting theme: small municipal CI operators sit below regulatory coverage but inside hostile-state targeting; Dragos's 8th annual OT YiR (§ 6) reinforces with 65 percent of assessed sites carrying insecure remote-access conditions and hidden IT/OT network paths surfacing during routine penetration tests. Swiss / EU water, energy, and utility operators should re-validate IT-OT segmentation and authentication posture on industrial-gateway and SCADA management interfaces as a direct action carried into 2026-W20.

The Internet Organised Crime Threat Assessment 2026 (published 2026-04-28) was Europol's first IOCTA to identify the interweaving of state-sponsored hybrid threats with criminal actors as the defining strategic risk for EU public-sector defenders. The cross-finding pattern between IOCTA's framing and the rest of 2026-W19 is unusually direct: the WorldLeaks / ShinyHunters operator family targeting government identity registries and politically significant EU media entities, the named-cluster attribution on Polish water OT to APT28 + APT29 + UNC1151 sharing initial access tradecraft with hacktivist information operations, and the Bauman / GRU pipeline investigation (§ 7) all illustrate the convergence IOCTA flagged. For public-sector procurement and identity-management functions specifically, IOCTA's identification of public institutions, major technology companies, and EU citizens' personal data as primary risk targets matches the week's incident concentration exactly. (Europol IOCTA, 2026-04-28; daily 2026-05-06 first coverage).

ABW's 2025 Annual Report (published 2026-05-07) is the only annual report this week that combines new ground-truth attribution detail with explicit regulatory-coverage-gap framing. The five named municipal water facilities (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo) all sit below the NIS2 essential-entity headcount threshold. ABW formally attributes initial access and persistence to APT28 (GRU), intelligence-collection overlay at Jabłonna Lacka to APT29 (SVR), and a disinformation overlay (fabricated leak documents purporting contamination data) to UNC1151 (Belarusian, Ghostwriter-affiliated) — granular tri-attribution materially beyond the "pro-Russian hacktivist" framing in initial reporting. ABW is recommending legislative action to extend NIS2 obligations to critical-function entities regardless of headcount. The cross-finding pattern for Swiss / EU public-sector readers: small municipal CI operators sit below regulatory coverage but inside hostile-state targeting; expect more regulator-side movement on this gap in coming weeks (daily 2026-05-09 UPDATE).

Current state: ABW 2025 Annual Report (2026-05-07 publication, covered 2026-05-09) is the formal-attribution development this week. Per SecurityWeek's coverage of the ABW report, the campaign against the five small Polish municipal water facilities is attributed to APT28 (GRU) and APT29 (SVR) — with UNC1151 (Belarusian-linked) named in the same attribution discussion. The granular per-facility breakdown and disinformation-overlay specifics carried in the daily 2026-05-09 UPDATE trace back to the Polish-language ABW report itself rather than the English secondary coverage; defenders relying on the English reporting should treat the actor-cluster trio as attributed jointly without per-facility specificity unless the ABW primary is consulted. The same APT28 cluster is in active operation against EU government ministries via CVE-2026-32202 (Windows Shell NTLM coercion, § 3). Outstanding defender question: whether ABW-recommended NIS2 expansion to critical-function entities below the headcount threshold gains EU-level momentum in coming weeks.

Poland's amended National Cybersecurity System Act (UKSC) entered into force on 3 April 2026, implementing NIS2 with a full compliance deadline of 3 April 2027 and first audit deadline 3 April 2028 (Addleshaw Goddard, 2026-02-26 · SecurityWeek, 2026-05-08). "Drinking water supply and distribution" and "wastewater management" are now designated essential-entity sectors in Polish law — meaning the five municipal water treatment facilities ABW documented as breached during 2025 (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo; § 4 / § 7) would, if attacked today, fall under NIS2 incident-reporting obligations. The attack vectors ABW attributes to APT28 / APT29 / UNC1151 (default credentials, internet-exposed ICS) are addressable by NIS2 Article 21 minimum security measures. The remaining policy gap: the breached small municipal operators are precisely the sub-threshold entities whose NIS2 coverage status is borderline under size-cap rules; the EC's NIS2 amendment introduces a "small mid-cap" important-entity category but does not resolve this specific small-municipality water-supply gap (member-state discretion). What defenders need to do differently: OT environments in small Polish municipalities with recently-transposed NIS2 obligations should treat the UKSC registration deadline (3 October 2026) as the immediate action item, and the 2025 ABW-documented attack vectors as the first patch-sprint target. For Swiss / EU operators reading: the ABW recommendation to extend essential-entity coverage below headcount threshold is now backed by both a documented compromise pattern and a freshly-transposed national NIS2 framework.

UPDATE (originally covered 2026-05-08):

Poland's Internal Security Agency (ABW) published its 2025 Annual Report on 2026-05-07, providing materially expanded detail beyond the initial reporting. The report names five municipal water facilities targeted in intrusion attempts during H2 2025 and Q1 2026: Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. All are smaller municipalities (populations 1,500–26,000) with limited IT security staff, consistent with the observed targeting pattern. ABW formally attributes the intrusion campaign to APT28 (Russian GRU) for the initial-access and persistence phase, APT29 (Russian SVR) for the intelligence-collection overlay observed at Jabłonna Lacka, and UNC1151 (Belarusian GRU-affiliated, historically associated with Ghostwriter information operations) for a disinformation component: fabricated leak documents purporting to show contamination data. This represents more granular tri-attribution than the "pro-Russian hacktivist" framing used in initial reporting.

NIS2 Directive context: Poland transposed NIS2 into national law effective 2026-02-01 (Ustawa z dnia 28 listopada 2025 r. o krajowym systemie cyberbezpieczeństwa). Water distribution operators above the 50-employee threshold are now classified as Essential Entities under NIS2, subject to mandatory incident notification to CSIRT GOV (ABW) within 24/72 hours. ABW's annual report explicitly notes that the five named facilities fell below the NIS2 threshold at the time of intrusion, highlighting the coverage gap for small municipal operators. ABW is recommending legislative action to extend NIS2 obligations to critical-function entities regardless of headcount.