Russian state-sponsored hackers posed as technical support staff on Microsoft Teams to compromise dozens of global organizations, including government agencies.
Microsoft security researchers said on Wednesday that the “highly targeted” social engineering campaign was carried out by a Russian state-sponsored hacking group tracked by Microsoft as “Midnight Blizzard,” but more commonly known as APT29 or Cozy Bear. The group, which was linked to the infamous SolarWinds attack in 2020, is part of Russia’s Foreign Intelligence Service, or SVR, according to U.S. and U.K. law enforcement agencies.
The attacks, which began in late-May, saw the APT29 hackers use previously compromised Microsoft 365 accounts to create new technical support-themed domains. Using these domains, the hackers sent Microsoft Teams messages that aimed to manipulate users into granting approval for multifactor authentication prompts, with the ultimate aim of gaining access to user accounts and exfiltrating sensitive information.
“If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device,” Microsoft said. If the victim follows these instructions, the hacker is able to gain full access to the users’ account.
Microsoft’s investigation into the campaign indicates that fewer than 40 unique global organizations were targeted or breached, including government agencies, non-government organizations, IT services, technology, discrete manufacturing and media sectors. The organizations targeted were not named, but “indicate specific espionage objectives” by the Russian hackers, Microsoft says.
Microsoft says it has mitigated the hacking group from using the domains and “continues to investigate this activity,” including the hackers’ precursory attacks to compromise legitimate Azure tenants and the use of homoglyph domains — domains that take advantage of similarities in font letters to impersonate legitimate domains — in social engineering campaigns.
News of this Russia-linked social engineering campaign comes weeks after Chinese hackers exploited a flaw in Microsoft’s cloud email service to gain access to the email accounts of U.S. government employees.