Russian-Linked Hackers Exploit Microsoft Teams in Advanced Cyber Espionage

By   ISBuzz Team
Writer , Information Security Buzz | Aug 07, 2023 05:00 am PST

In a rapidly digitalizing world, cyber threats continue to evolve, and recent disclosures from Microsoft have reinforced this concern. Microsoft Teams, a widely-used collaboration tool, has been targeted in a sophisticated phishing campaign by a hacker group with ties to the Russian government. The group, named ‘Midnight Blizzard’, has been engaged in a deceptive scheme, impersonating technical support representatives to breach user credentials.

Methodology Behind the Attacks

Midnight Blizzard, also known as Nobelium, has combined both traditional and innovative hacking techniques for this operation. They initiated the campaign by repurposing previously compromised Microsoft 365 accounts, primarily from small businesses. These compromised accounts became the foundation for setting up new domains that appeared as genuine technical support platforms.

Once these faux domains were established, the group began their phishing endeavor, targeting Microsoft Teams users. Through carefully crafted messages, they coerced users into revealing their login credentials. A particularly alarming strategy involved manipulating users to approve multifactor authentication (MFA) prompts, enhancing the deception’s credibility.

Microsoft’s in-depth analysis paints a vivid picture of the hacker’s objectives. As mentioned in their blog, “The targeted organizations, which include governmental agencies, NGOs, technology firms, manufacturers, and media houses, provide insights into Midnight Blizzard’s espionage motivations.” Microsoft has been proactive in response, deactivating the malicious domains and embarking on a thorough investigation to mitigate the breach’s impact. Additionally, they’ve reached out to affected parties, providing them with resources and information to safeguard their digital environments.

Who is Midnight Blizzard?

This isn’t the maiden voyage of Midnight Blizzard into the cybersecurity storm. Recognized by the US and UK governments, this entity is linked with the Russian Federation’s Foreign Intelligence Service, the SVR. Their operations, traced back to 2018, predominantly focus on governmental bodies, diplomatic entities, NGOs, and IT service providers across the US and Europe. The group’s modus operandi often involves hijacking genuine accounts, sometimes employing complex techniques to compromise organizational authentication systems.

Expert Opinions on the Matter

We reached out to renowned infosec experts for insights into this matter. Here are their responses:

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
David Raissipour
David Raissipour , Mimecast Chief Technology and Product Officer
Industry Leader
August 7, 2023 1:15 pm

“Collaboration platforms have become ubiquitous in workplaces today; but with the immense value these tools bring to businesses comes an equal or greater amount of risk. We’re seeing this real-world risk in this week’s news about a Russian government-linked group launching phishing attacks on dozens of businesses via Microsoft Teams.

While this news garners widespread attention and hopefully awareness, the truth is that this type of breach is not necessarily new or uncommon. In fact, new Mimecast research found that 94% of organizations have experienced a threat via a collaboration platform – despite 74% of cybersecurity leaders expressing confidence in their cyber readiness to defend against these hacks.

Cybersecurity leaders must use this moment as a warning sign and arm their teams with the right skills and technologies to better identify and mitigate attacks across every critical business platform. At Mimecast, we’re expanding our suite of security solutions to ensure organizations using critical platforms like Microsoft Teams can do so safely and smartly.”

Last edited 1 month ago by David Raissipour

Recent Posts

Would love your thoughts, please comment.x