A hacking group with ties to the Russian government is targeting dozens of global organizations to steal login credentials by posing as technical support staff in Microsoft Teams chats, Microsoft researchers said Wednesday.
These “highly targeted” social engineering attacks have impacted “fewer than 40 unique global organizations” since the end of May, Microsoft researchers said in a blog post, adding that the company was investigating.
The Russian Embassy in Washington did not immediately respond to a request for comment.
Researchers say hackers set up what appeared to be technical support domains and accounts and tried to get Teams users to participate in chats and get them to approve multi-factor authentication (MFA) prompts.
“Microsoft has blocked the attacker’s use of these domains and continues to investigate this activity and work to remediate the impact of the attack,” they added.
Teams, Microsoft’s proprietary business communications platform, has more than 280 million active users, according to the company’s January financial statements.
MFA is a widely recommended security measure designed to prevent hackers from attacking or stealing credentials. Teams targeting shows hackers are finding new ways to bypass it.
Researchers say the hacking group behind the campaign, known in the industry as Midnight Blizzard or APT29, is based in Russia and has been linked to the country’s foreign intelligence services by the British and U.S. governments.
“The organizations targeted by this campaign may be indicative of Midnight Blizzard’s specific espionage targets targeting the government, non-governmental organizations (NGOs), IT services, technology, discrete manufacturing and media sectors,” they said, without disclosing any targets.
“This latest attack, combined with past campaigns, provides further evidence that Midnight Blizzard uses new and common techniques to consistently execute its objectives,” the researchers wrote.
Midnight Blizzard has been targeting such groups since 2018, primarily in the United States and Europe, they added.
According to details in a Microsoft blog, hackers used compromised Microsoft 365 accounts owned by small businesses to create new domain names that appear to be technical support entities and contain the word “Microsoft.” Researchers said accounts associated with these domains then sent phishing messages through Teams to trick people.
© Thomson Reuters 2023
Svlook