In a recent disclosure, Microsoft researchers revealed that a hacking group with ties to the Russian government has launched a sophisticated campaign against numerous global entities.
The attackers employed a series of “highly targeted” social engineering tactics to pilfer login credentials by masquerading as technical support representatives within Microsoft Teams chats.
Since late May, this insidious campaign has impacted fewer than 40 distinct international organizations, as stated in a blog by Microsoft researchers. The company is actively investigating the matter.
Surprisingly, the Russian embassy in Washington has not yet responded to requests for comment on this concerning issue.
- Advertisement -
The hackers strategically set up domains and accounts that convincingly resembled legitimate technical support channels.
Through these deceptive profiles, they engaged Microsoft Teams users in conversations, seeking to manipulate them into approving multifactor authentication (MFA) prompts. Nevertheless, Microsoft has successfully thwarted the use of these malicious domains and is diligently working to address the consequences of this attack.
Microsoft Teams, a proprietary platform for business communication, boasts an impressive user base of over 280 million active users, according to the company’s January financial statement.
While multifactor authentication is widely advocated as a robust security measure against hacking attempts and credential theft, this incident underscores that hackers are continuously devising innovative ways to circumvent such safeguards.
The hacking group, dubbed Midnight Blizzard or APT29 in the industry, is believed to have affiliations with the Russian and UK intelligence services. Governments in the US and Europe have previously linked this group to the Russian foreign intelligence service.
The targeted organizations seem to indicate specific espionage objectives by Midnight Blizzard, encompassing government entities, non-government organizations (NGOs), IT services, technology firms, discrete manufacturing, and media sectors. However, the specific targets were not disclosed by the researchers.
This latest attack is a testament to Midnight Blizzard’s ongoing pursuit of their objectives, employing both novel and conventional techniques. Historical records suggest that this group has been actively targeting organizations, primarily in the US and Europe, since 2018.
The hackers leveraged compromised Microsoft 365 accounts owned by small businesses to create seemingly legitimate technical support domains with “microsoft” in their names.
Subsequently, accounts associated with these deceptive domains disseminated phishing messages through Teams to bait unsuspecting victims. The attackers’ crafty approach made it challenging for users to discern the authenticity of these fraudulent communications.