Russian Hackers Target More Than 40 Global Organizations With Attacks Under The Guise Of Technical Support In Microsoft Teams

JAKARTA - A hacker group linked to the Russian government has attacked dozens of global organizations with a campaign to steal login credentials by pretending to be technical support in Microsoft Teams conversations. This was revealed by Microsoft researchers on Wednesday, August 2.

This "very targeted" engineering social attack has affected "less than 40 unique global organizations" since late May, Microsoft researchers said in a blog. They also added that the company was investigating the matter.

The Russian embassy in Washington has not yet responded to requests for comment from the media.

According to researchers, these hackers set up domains and accounts that looked like technical support and tried to engage in conversations with Teams users and got approval from them for a multi-factor authentication promotion (MFA).

"Microsoft has overcome actor's efforts to use the domain and continues to investigate this activity and strive to overcome the impact of this attack," they added.

Teams is Microsoft's business communication platform, with more than 280 million active users, according to the company's financial statements in January 2023.

MFA is a security measure that is highly recommended to prevent hacking or theft of credentials. Targeting Teams shows that hackers are finding new ways to address these security measures.

The hacker group responsible for this activity, known in industry as Midnight Blizzard or APT29, is based in Russia, and the UK and US governments have linked it to the country's foreign intelligence services, the researchers said.

"Organizations targeted in this activity are likely to indicate specific espionage goals by Midnight Blizzard aimed at governments, non-governmental organizations (NGOs), information technology services, technologies, separate manufacturing, and the media sector," they wrote, without naming the targets.

"This latest attack, combined with previous activities, further demonstrates the implementation of the sustainable Midnight Blizzard goal using new and general techniques," the researchers wrote.

Midnight Blizzard has been known to target these organizations, particularly in the US and Europe, since 2018, they added.

Hackers used Microsoft 365 accounts that were already compromised from small businesses to create new domains that looked like technical support entities and had the word "microsoft" in them, according to details on Microsoft's blog. Accounts related to these domains then sent phishing messages to lure people through Teams, the researchers said.