What Happened:
According to recent reports by Microsoft researchers, a Russian government-linked hacking group has launched a series of targeted phishing attacks on numerous global organizations. The attacks, which began in late May, involve the hackers impersonating technical support personnel in Microsoft Teams chats in an attempt to steal login credentials from unsuspecting users.
The campaign has affected fewer than 40 unique global organizations, and Microsoft is actively investigating the incidents. The company has already taken measures to mitigate the use of domains employed by the hackers. Despite the attackers attempting to exploit multifactor authentication (MFA) prompts, Microsoft is determined to counter their efforts and protect users’ security.
Microsoft Teams, a proprietary business communication platform, is widely used, boasting more than 280 million active users as of January 2023. The targeting of Teams users suggests that hackers are devising new methods to bypass MFA, which is a widely recommended security measure to prevent unauthorized access to accounts.
Who Is Responsible:
The group behind these attacks, known in the industry as Midnight Blizzard or APT29, is based in Russia and the UK. The U.S. and UK governments have previously linked this group to Russia’s foreign intelligence service. The researchers believe that the targets of this activity indicate specific espionage objectives aimed at government entities, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
Midnight Blizzard has a history of targeting organizations in the U.S. and Europe since 2018. In this recent campaign, the hackers utilized already-compromised Microsoft 365 accounts owned by small businesses to create new domains that appeared to be legitimate technical support entities, incorporating the word “microsoft” in the domain names. The compromised accounts were then used to send phishing messages to potential victims through Microsoft Teams.
The Response:
Microsoft urges its users to remain vigilant against such social engineering attacks and to report any suspicious messages or activities. As the investigation continues, the company is committed to identifying and remediating the impact of the attack while enhancing security measures to prevent future incidents.
The Russian embassy in Washington has not yet responded to the reports.
– Authored by contributor Anthony J. Daw
