A Russian government-linked hacking group has been implicated in a sophisticated cyber attack targeting dozens of global organizations. Microsoft researchers revealed on Wednesday that the group, known as Midnight Blizzard or APT29, has been engaging users in Microsoft Teams chats, masquerading as technical support, to steal login credentials through highly targeted social engineering attacks.
The campaign, which has been underway since late May, has affected fewer than 40 unique global organizations, according to the researchers. They added that Microsoft is actively investigating the incidents. The Russian embassy in Washington has not yet responded to requests for comment on the matter.
The modus operandi of the hackers involves setting up domains and accounts that closely resemble legitimate technical support entities. They then initiate Teams chats with users, attempting to manipulate them into approving multifactor authentication (MFA) prompts. Multifactor authentication is a widely recommended security measure designed to thwart unauthorized access to accounts. The fact that hackers are circumventing this measure highlights the evolving sophistication of their tactics.
Microsoft, in response to the attacks, has taken measures to prevent the further use of the domains involved and is working diligently to address the implications of the breach. Microsoft Teams, the platform at the center of the attacks, is a proprietary communication tool catering to businesses, boasting over 280 million active users as of January this year.
Midnight Blizzard, the hacking group behind this campaign, has a history of targeting organizations in the U.S. and Europe, with activities dating back to 2018. The group is widely believed to be based in Russia and has been associated with the country’s foreign intelligence service by both the U.S. and U.K. governments.
The specific targets of the attacks have not been named. Still, Microsoft researchers suggested that they likely include government entities, non-government organizations (NGOs), IT services, technology firms, discrete manufacturing companies, and media organizations.
In their blog post, the researchers underlined the ongoing evolution of Midnight Blizzard’s tactics, stating, “This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques.”
The hacking group’s strategy included leveraging already-compromised Microsoft 365 accounts owned by small businesses to create new domains that mimicked legitimate technical support entities. From these domains, phishing messages were sent to lure individuals, particularly via Microsoft Teams.
As this cyber attack sheds light on the increasing sophistication of hacking techniques, the cybersecurity community is reminded of the relentless efforts by malicious actors to exploit vulnerabilities for their gain. The incident also underscores organizations’ need to remain vigilant and proactive in safeguarding their digital infrastructure against evolving threats.