Dozens of organisations have suffered security breaches at the hands of Russian hackers posing as tech support in Microsoft Teams chats.
Last week, Microsoft’s threat intelligence researchers detailed a spate of “highly targeted” social engineering attacks carried out through chats in Microsoft’s workplace messaging app Teams.
The attacks – carried out by a Russia-based threat actor called Midnight Blizzard – affected approximately 40 global organisations.
“Our current investigation indicates this campaign has affected fewer than 40 unique global organisations,” Microsoft researchers wrote.
“The organisations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organisations (NGOs), IT services, technology, discrete manufacturing, and media sectors.”
The attacks targeted victims’ log-in credentials using phishing lures sent in Teams chats under the guise of tech support.
By using previously hacked Microsoft 365 tenants owned by small businesses, the attackers were able to create domains which were very convincingly masked as valid technical support providers – using “onmicrosoft.com” in combination with security-themed keywords to masquerade under domains such as “teamsprotection.onmicrosoft.com”.
From there, Midnight Blizzard set their sights on multi-factor authentication (MFA) codes – messaging users of target organisations in attempts to gain illegitimate approval of MFA prompts.
MFA prompts are used during some of Microsoft’s authentication processes, during which users are required to enter a code displayed during login into a Microsoft Authenticator app on their mobile device.
Hackers sent messages to targeted users over an ostensibly valid Teams chat, eliciting the user to enter the MFA code into their device.
Once the user fell for the misleading chat request and approved an MFA prompt, the hackers were granted direct access to their Microsoft 365 account – enabling malicious activity such as information theft.
“Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack,” Microsoft researchers wrote.
Midnight Blizzard rages on
Microsoft’s threat intelligence described the attacks from Midnight Blizzard as “nation-state actor activity”, and said the Russia-based group has been linked to the Foreign Intelligence Service of the Russian Federation.
According to Microsoft’s researchers, the group is known to target governments, diplomatic entities, non-government organisations and IT service providers primarily in the US and Europe.
“Their focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018,” Microsoft researchers wrote.
“Their operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organisation to expand access and evade detection.”
The group – also known as APT29 – is said to employ a wide range of cyber criminal techniques, from credential theft and spear-phishing through to brute force attacks and password spraying.
In 2020 APT29/Midnight Blizzard was attributed to a string of cyber attacks at COVID-19 medical research centres, and in 2021 the group’s activity led to the US sanctioning Russia for a breach at network software company SolarWinds which saw widespread monitoring of systems in large businesses and US government departments.
Last month, Microsoft shared findings from a similar string of attacks out of China which also saw government organisations targeted through Microsoft systems.
Microsoft listed a range of recommendations to reduce the risk of this threat, such as deploying authentication-related security controls and educating users about social engineering and phishing.