Russian hackers target multiple global organisations in social engineering campaign
Microsoft security researchers have uncovered a sophisticated social engineering campaign by "Midnight Blizzard" or APT29, the same group that was su the 2020 Solarwinds attack.
APT29 which is part of Russia's Foreign Intelligence impersonated the technical support staff on Microsoft Teams to compromise dozens of global corporations and government agencies.
The attacks leveraged previously compromised Microsoft 365 accounts to build new technical support-themed domains. APT29 then used these domains to send Microsoft Teams messages to users, and tried to influence them into approving multifactor authentication prompts. The ultimate goal was to gain access to user accounts and exfiltrate sensitive information.
Once the target user accepted the message request, the hacker would send a convincing Microsoft Teams message, instructing the user to enter a code into the Microsoft Authenticator app on their mobile device. If the victim followed these instructions, the hacker gained full access to the user's account.
Investigations by Microsoft revealed that less than 40 unique global establishments were targeted or breached. Some of these included government outfits, non-government organisations, IT services, technology, manufacturing, and media divisions. While the organisations were not named, Microsoft emphasizes that the attacks were linked to specific espionage objectives pursued by the Russian hackers.
Microsoft has mitigated its use of the domains to counter the hacking group's activities and is actively investigating the campaign. This includes examining the hackers' precursory attacks aimed at compromising legitimate Azure tenants and their use of homoglyph domains, which exploit font letter similarities to impersonate legitimate domains in social engineering campaigns.
This revelation of the Russia-linked social engineering campaign comes in the wake of recent Chinese hacker activities. The Chinese cybercriminals used a vulnerability in Microsoft's cloud email service to gain illegal access to the email accounts of U.S. government employees.
As cybersecurity threats continue to evolve, organisations must remain vigilant against social engineering tactics. They must employ robust security measures to protect their sensitive data and networks. Microsoft's ongoing efforts to investigate and mitigate such attacks are crucial in safeguarding digital ecosystems from state-sponsored threat actors.