The notorious Russian state-sponsored hackers responsible for the SolarWinds attacks have resurfaced yet again, this time utilizing the popular Microsoft Teams application to carry out targeted campaigns aimed at stealing Microsoft 365 passwords. These hackers, known as the Midnight Blizzard advanced persistent threat (APT) group, have also been found to infiltrate organizations’ Azure Active Directory environments and extend their attacks beyond.
Microsoft issued a warning last Thursday, alerting users to this new wave of cyberattacks. The Midnight Blizzard APT, also referred to as Nobelium, APT29, UNC2452, and Cozy Bear, has already targeted approximately 40 government organizations, non-governmental organizations (NGOs), IT services, technology companies, discrete manufacturing firms, and media sectors globally.
However, it’s not just large organizations that are falling victim to these attacks. Small businesses that rely on Microsoft 365 have become a prime target for the hackers. Microsoft has recognized that its cloud-based platform is an attractive target for nation-state threats, evident from the recent extensive email breach that affected various US government agencies.
“The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant,” explained Microsoft researchers in a blog post. “The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages.”
To deceive their targets, the cyberattackers pose as technical support personnel, tricking users into disclosing their Microsoft 365 credentials and multifactor authentication (MFA) prompts. Once they have gained access under the guise of the targeted user, the APT group begins extracting data from various Microsoft 365 apps, including Outlook, Teams, and cloud versions of Microsoft Office.
“In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only,” added the Microsoft researchers in their post.
Notably, the Midnight Blizzard APT group showcases consistency and persistence in their operational targeting, and their objectives related to cyber-espionage rarely change. This makes them an even more formidable threat, as their tactics have proven to be effective and their ability to adapt and innovate is evident.
As nation-state hacking continues to present significant challenges in the cybersecurity landscape, it is crucial for organizations and individuals to remain vigilant and adopt robust security measures. Regularly updating passwords, enabling multifactor authentication, and staying up-to-date with the latest security patches and software updates are essential steps to mitigate the risks posed by advanced persistent threats like Midnight Blizzard.
Furthermore, organizations must invest in comprehensive cybersecurity solutions that can detect and prevent unauthorized access and data exfiltration attempts. Employee training and education on recognizing and reporting suspicious activities also play a vital role in strengthening an organization’s defense against such attacks.
While the Midnight Blizzard APT group’s current focus is on stealing Microsoft 365 credentials, it is imperative for businesses and individuals to understand that the evolving threat landscape demands constant awareness and proactive security measures. Remain cautious, prioritize cybersecurity, and stay informed to ensure the safety and protection of sensitive data.