According to Microsoft security researchers, the “highly targeted” social engineering attack was carried out by a Russian state-sponsored hacking outfit known as “Midnight Blizzard,” but more often known as APT29 or Cozy Bear.
According to US and UK law enforcement sources, the outfit, which was tied to the infamous SolarWinds hack in 2020, is part of Russia’s Foreign Intelligence Service, or SVR. The APT29 attackers used already hacked Microsoft 365 accounts to register new technical support-themed domains in the attacks, which began in late May.
What is Known About the Hackers
Using these domains, the hackers sent Microsoft Teams messages designed to trick users into accepting permission for multi factor authentication requests, with the ultimate goal of obtaining control over user accounts and exfiltrating sensitive data. “If the target user approves the sender’s request, the user receives a Microsoft Teams message from the hacker trying to persuade them to enter a code into the Microsoft Authenticator app on their handheld device,” Microsoft explained.
If the target takes these directions, the hacker gains complete control of the user’s account. According to Microsoft’s study, fewer than 40 distinct global companies have been assaulted or compromised, including government agencies, non-government organizations, IT services, technology, discrete production, and media industries. According to Microsoft, the firms targeted were not identified, but “indicate specific espionage objectives” by the Russian hackers.
Microsoft states it has prevented the criminal organization from employing the domains and “continues to investigate this activity,” which includes the hackers’ precursory assaults against valid Azure residents and the employing of homoglyph domains in social engineering campaigns, which take advantage of similarities in font letters to impersonate legitimate domains.
The revelation of this Russia-linked social engineering campaign comes only weeks after Chinese hackers used a hole in Microsoft’s cloud email service to get access to the email accounts of US federal officials.