Russia's 'Midnight Blizzard' Hackers Launch Flurry of Microsoft Teams Attacks

The Nobelium APT is launching highly targeted Teams-based phishing attacks on government and industrial targets using compromised Microsoft 365 tenants, with the aim of data theft and cyber espionage.

photo of snow blizzard and lights at night outside in Stockholm, Sweden
Source: ArtesiaWells via Alamy Stock Photo

The Russian state-sponsored hackers behind the SolarWinds attacks are back again, now using the Microsoft Teams application to mount targeted campaigns aimed at stealing Microsoft 365 passwords, and pivoting into organizations' Azure Active Directory environments and beyond.

Microsoft flagged the activity on Thursday, noting that the Midnight Blizzard advanced persistent threat (aka Nobelium, APT29, UNC2452, and Cozy Bear) has so far gone after around 40 government organizations, nongovernmental organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors globally.

But there are other victims, too. To carry out the attack, Midnight Blizzard is using compromised Microsoft 365 tenants, mainly small businesses, Redmond noted. Microsoft 365 has become a popular target for nation-state threats, most recently anchoring a sprawling email breach that affected government agencies in the US.

"The actor renames the compromised tenant, adds a new subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant," Microsoft researchers explained in a post. "The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages."

The cyberattackers are posing as technical support in order to snow users into handing over their Microsoft 365 credentials and multifactor authentication (MFA) prompts -- thus giving the threat actor access to those Microsoft 365 accounts and all the data and applications associated with it, which include Outlook, Teams, cloud versions of Microsoft Office, and more.

"In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only," according to the post.

The researchers added, "Midnight Blizzard is consistent and persistent in their operational targeting, and their [cyber-espionage] objectives rarely change."

“Now that cloud services are so ubiquitous across all types of organization, so they have also become the latest battleground for criminal and nation state sponsored threat actors," said Darren James, senior product manager with Specops Software, via email. "This once again shows that organizations must take a multi-layered approach to combating these evolving online threats. They should enforce strong, secure passphrases which have not been breached, alongside phishing-resistant MFA, conditional access, provide training to all staff about the threat of phishing attacks and password hygiene. These steps are vital to protect organizations from this attack vector."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights