Russian hacking group targets Microsoft Teams users

Hackers linked to Russian state behind recent credential phishing attacks

Image:
Hackers linked to Russian state behind recent credential phishing attacks

The credential phishing attacks have affected fewer than 40 unique global organisations since late May, according to Microsoft

A Russian government-linked hacking group has been targeting global organisations, among them government agencies, with the aim of stealing Microsoft Teams credentials.

The targeted attacks engage users in Microsoft Teams chats by claiming to be from technical support, Microsoft researchers said in a blog post on Wednesday.

The hacking group behind this activity is known as Midnight Blizzard (aka Nobeliam) and tracked as APT29. The group is based in Russia and is linked to the country's foreign intelligence service.

According to Microsoft, Midnight Blizzard is known to mainly target governments, diplomatic entities, NGOs and IT service providers primarily based in the US and Europe. Microsoft said:

"Our current investigation indicates this campaign has affected fewer than 40 unique global organisations. The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors."

No organisation is named.

The hackers used compromised Microsoft 365 tenants to create domains which look like legitimate technical support ones. They then send individual users tech support focused messages, with the aim of manipulating users into granting approval for multifactor authentication (MFA) prompts, ultimately aiming to steal their credentials.

The messages came from the legitimate onmicrosoft.com domain, which will have increased the likelihood of the fake Microsoft support messages being percieved as genuine.

APT29 came to international attention at the end of 2020 with the Sunburst supply chain attack, best known known for its compromise of the SolarWinds monitoring software. Microsoft warned in June that it was observing an increase in credential phishing attempts - and that this group was likely to be behind it.