Phishing attacks against Microsoft Teams is being carried out by Russian-government linked hackers, Redmond warns
A hacker group linked to the Russian government is behind dozen of attacks against Microsoft Teams, in a campaign to steal login credentials by pretending to be from technical support.
This is according to Microsoft Threat Intelligence, which in a blog post on Wednesday revealed it had identified “highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as Nobelium).”
Nobelium (or Midnight Blizzard) is variously known as APT29 or Cozy Bear. This group was behind the hack of SolarWinds that allowed it to access the systems of nine US federal agencies, along with numerous private enterprises back in 2020 and 2021.
According to Microsoft Threat Intelligence, this latest attack, combined with past activity, “further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques.”
Microsoft said the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organisation by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.
Teams is Microsoft’s business communication platform, with more than 280 million active users, after it grew dramatically in popularity during the Coronavirus pandemic.
As with any social engineering lures, Microsoft said it encourages organisations to reinforce security best practices to all users, and reinforce that any authentication requests not initiated by the user should be treated as malicious.
“Our current investigation indicates this campaign has affected fewer than 40 unique global organisations,” said the software giant.
“The organisations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organisations (NGOs), IT services, technology, discrete manufacturing, and media sectors.”
Microsoft said it has mitigated the actor from using the domains and continues to investigate this activity to remediate the impact of the attack.
As with any observed nation-state actor activity, Microsoft said it has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.
“Midnight Blizzard (Nobelium) is a Russia-based threat actor attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR,” said Microsoft.
“This threat actor is known to primarily target governments, diplomatic entities, non-government organisations (NGOs), and IT service providers primarily in the US and Europe,” it added.
“Their focus is to collect intelligence through long-standing and dedicated espionage of foreign interests that can be traced to early 2018,” Redmond warned. “Their operations often involve compromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise authentication mechanisms within an organisation to expand access and evade detection.”
Microsoft said Midnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change.
“Midnight Blizzard (Nobelium) is tracked by partner security vendors as APT29, UNC2452, and Cozy Bear,” said Redmond.
Remove staff credentials
Mike Newman, CEO of identity management specialist My1Login cautioned that there could be many victims due to the sophisticated nature of this phishing scam.
“This is a highly sophisticated phishing scam that would be almost impossible to detect to the untrained eye,” said Newman. “Because the attackers were using a legitimate Microsoft domain, it would only have taken a very curious and security-savvy user to investigate the prompts further and realise they were fake.
“As a result of this, even despite the low number of organisations targeted, this attack would have picked up many victims.”
“As criminals’ technique continue to improve, users are perpetually on the backfoot,” noted Newman. “These scams are almost undetectable, and things are going to keep getting worse as fraudulent generative AI continues to innovate.”
“Businesses therefore need to take their own remediation action against these threats and one of the best ways to do this is by removing passwords and credentials from users’ hands,” said Newman. “This means even when highly sophisticated scams do reach user inboxes, users can’t be tricked into handing over their credentials because they simply do not know them.”
“Removing credentials and passwords from users can be achieved by implementing modern Identity Management solutions, which improve security but also remove cumbersome security checks within the enterprise to enhance the user experience and increase operational efficiency,” Newman concluded.
Andy Garth, government affairs director at cybersecurity specialist ESET noted that the attacks are relying on social engineering techniques.
“It’s not just malicious emails you have to be on the lookout for, malicious actors have been exploiting MS Teams,” said Garth.
“While the attacks are not technically sophisticated, this time, they rely on an elaborate social engineering technique that masquerades previously compromised accounts of small businesses as technical support accounts and uses these ‘trustworthy-looking’ entities to lure the victim into accepting an external request to chat.”
“According to Microsoft, Midnight Blizzard (aka The Dukes, APT 29), a group linked to Russia’s Foreign Intelligence Service (SVR), has been using this method to conduct a cyberespionage campaign,” Garth added. “Once in touch with officials in Government bodies, NGOs, and target companies, the group would entice the victim to click on a malicious link requesting login credentials.”
“Spearphishing attacks target individuals with access to specific information, thus requiring the attackers to undertake background work to hone their approach, gain the confidence of their victims and lure them,” Garth cautioned. “As with your email, you should also be sceptical of unsolicited approaches from anyone external to the organisation trying to reach out through MS Teams.”