A Russian government-linked hacking group took aim at dozens of global organizations with a campaign targeting Microsoft Teams users, Microsoft researchers said on Wednesday.
In late May, the hacker team began its attempts to steal login credentials by engaging users in Microsoft Teams chatrooms, pretending to be from technical support.
In a blog post, Microsoft researchers called the campaign a “highly targeted social engineering attack” by a Russia-based hacking team dubbed Midnight Blizzard.
The hacking group, which was previously tracked as Nobelium, has been attributed by the U.S. and UK governments as part of the Foreign Intelligence Service of the Russian Federation.
“The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors,” the researchers wrote, without naming any of the targets.
The Russian embassy in Washington didn’t immediately respond to a request for comment.
“As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments,” the company said.
According to the Microsoft blog post, the hackers used previously-compromised Microsoft 365 accounts owned by small businesses to set up domains and accounts containing the word “Microsoft,” making them look like bonafide technical support sites.
The next step was to bait Teams users to engage with the hackers in chats to get them to approve multifactor authentication (MFA) prompts.
“If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device,” Microsoft said.
If the target follows the instructions, the hackers instantly gain full access to the user’s account.
MFAs are a reliable and widely recommended security protocol.
“This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques,” the Microsoft researchers said.
For now, the fake domains and accounts have been neutralized, the researchers said.
“Microsoft has mitigated the actor from using the domains and continues to investigate this activity and work to remediate the impact of the attack,” Microsoft said.
The company also put forth a list of recommended precautions to reduce the risk of future attacks, including educating users about “social engineering” attacks.
Midnight Blizzard has been operational since 2018, mainly targeting organizations in the United States and Europe.
Reuters contributed to this report.
