According to a research report from Redmond’s Threat Intelligence team, the hacking team is linked to the Foreign Intelligence Service of the Russian Federation (also known as the SVR) and has been caught targeting government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors, writes Security Week.
Microsoft has flagged the actor as ‘Midnight Blizzard’ (formerly Nobelium) and warns that the group is using already hacked Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities.
Using these domains from compromised tenants, the researchers found the hackers using Microsoft Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts.
The company said it has traced the targeting to “fewer than 40 unique global organizations,” suggesting a highly surgical cyberespionage operation against targets in the U.S. and Europe.
Olabanji Soledayo, the ESET Nigeria and Ghana cybersecurity evangelist commented that “It’s not just malicious emails you have to be on the lookout for, malicious actors have been exploiting MS Teams. While the attacks are not technically sophisticated, this time, they rely on an elaborate social engineering technique that masquerades previously compromised accounts of small businesses as technical support accounts and uses these "trustworthy looking" entities to lure the victim into accepting an external request to chat.
According to Microsoft, Midnight Blizzard (aka The Dukes, APT 29), a group linked to Russia’s Foreign Intelligence Service (SVR), has been using this method to conduct a cyberespionage campaign. Once in touch with officials in Government bodies, NGOs, and target companies, the group would entice the victim to click on a malicious link requesting login credentials.
Spear phishing attacks target individuals with access to specific information, thus requiring the attackers to undertake background work to hone their approach, gain the confidence of their victims and lure them. As with your email, you should also be skeptical of unsolicited approaches from anyone external to the organization trying to reach out through MS Teams.”
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure, and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET's high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET's R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, Instagram and Twitter.