Russian State-Sponsored Hackers Target Microsoft Teams Users

By

Cybersecurity: Russian Hackers Back with a New Target: Microsoft Teams

Recent reports have revealed that the Russian state-sponsored hackers responsible for the SolarWinds attacks have returned, this time targeting users of the popular Microsoft Teams application. The hackers, known as Midnight Blizzard, are carrying out targeted campaigns aimed at stealing Microsoft 365 passwords and gaining access to organizations’ Azure Active Directory environments. Microsoft issued a warning regarding this activity on Thursday, noting that approximately 40 government organizations, NGOs, IT services, technology, discrete manufacturing, and media sectors have been targeted globally.

Advanced Persistent Threat

The Midnight Blizzard group, also known as Nobelium, APT29, UNC2452, and Cozy Bear, has a long history in cyber-espionage and has been tied to numerous high-profile attacks. They are considered an advanced persistent threat, known for their consistency and persistence in targeting organizations for cyber-espionage purposes. This latest attack focuses on compromising Microsoft 365 tenants, primarily small businesses.

Modus Operandi: Impersonating Technical Support

To carry out their attacks, the hackers adopt the guise of technical support personnel. They send messages to users, posing as support representatives, and request their Microsoft 365 credentials and multifactor authentication (MFA) prompts. By obtaining these credentials, the threat actors gain access to the victims’ Microsoft 365 accounts and all associated data and applications, including Outlook, Teams, and cloud versions of Microsoft Office.

Additionally, Midnight Blizzard attempts to add a device to the compromised organization through Microsoft Entra ID, formerly known as Azure Active Directory. This could be an attempt to bypass conditional access policies that restrict access to specific resources only to managed devices.

The Ubiquity of Cloud Services and the Cybersecurity Landscape

As cloud services become increasingly prevalent across all types of organizations, they have also become attractive targets for cybercriminals and nation-state threat actors. The Microsoft 365 platform has emerged as a popular target for such attacks, as demonstrated by the recent email breach that affected several US government agencies.

Darren James, a senior product manager with Specops Software, emphasizes the importance of a multi-layered approach to combatting evolving online threats. Some essential measures include enforcing strong, secure passphrases that have not been breached, implementing phishing-resistant multifactor authentication (MFA), configuring conditional access policies, providing training on the threat of phishing attacks and password hygiene to all staff members. These steps are crucial in protecting organizations from this particular attack vector.

Conclusion

The Midnight Blizzard hacking group’s latest campaign targeting Microsoft Teams users highlights the ongoing challenges posed by nation-state-sponsored cyber threats. The attackers’ use of compromised Microsoft 365 tenants and their impersonation of technical support personnel serve as stark reminders of the importance of robust cybersecurity measures within organizations. As cyber threats continue to evolve, businesses and individuals must remain vigilant, implementing a multi-layered approach to mitigate risks and protect sensitive information.