Microsoft Teams chats are being hijacked by Russian hackers to spy on your business

password manager security
(Image credit: Passwork)

Russian military hackers are reportedly using compromised Microsoft 365 accounts to target businesses in the United States, and have so far successfully breached up to 40 firms.

A new report from Microsoft’s researchers claims to have spotted a group they track as Midnight Blizzard (also known as NOBELIUM, or Cozy Bear) - a known Russian state-sponsored threat actor. Apparently, the group has been using Microsoft 365 accounts, belonging to various small businesses across the country and stolen in earlier attacks, to target specific firms with phishing messages and social engineering lures distributed through Microsoft Teams. Apparently, the hackers were impersonating tech support staff and tried to get their victims to share login credentials and multi-factor authentication (MFA) keys with them. 

Midnight Blizzard is focused on cyber-espionage and data harvesting, Microsoft explained, with firms in government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors being the primary targets. The group is mostly interested in entities residing in the West, either in Europe or in the United States. 

Microsoft also said that the campaign affected “fewer than 40 unique global organizations”, and that it blocked access to compromised domains, suggesting that the campaign’s attack vector is disabled. Compromised businesses have been notified, the company added. 

In some cases, NOBELIUM also targeted firms whose systems are protected with multi-factor authentication. Without going into too much detail, Microsoft said that the threat actors managed to make it past MFA by tricking the victims into sharing the time-based key on time. 

Midnight Blizzard is using a wide array of common techniques in its campaigns, the report concludes, adding that the group doesn’t shy away from adding new techniques and advanced approaches to the attacks. So far, the group was observed using EnvyScout, BoomBox, NativeZone, and VaporRage, as part of its toolset.

As explained by BleepingComputer, EnvyScout is a malicious HTML/JS file attachment used in spear-phishing emails used to grab NTLM credentials of Windows accounts. It can also serve as a payload dropper. BoomBox is a malware dropper, used to drop the two remaining names on the list - NativeZone and VaporRage. 

Analysis: Why does it matter?

Midnight Blizzard is enough of a danger to be on the radar of US and UK governments. Apparently, it’s being run by the Foreign Intelligence Service of the Russian Federation - SVR. These hackers usually target high-profile individuals such as politicians and diplomats, journalists, intellectuals, and others, but they also target IT service providers and critical infrastructure providers. 

The goal of Midnight Blizzard’s work is to gather intelligence and learn as much as possible about the inner workings of diplomats in the West. Given the current situation surrounding Ukraine, but other places where Russia might have some influence, like Niger, intelligence-gathering work is as important as it ever was. 

The first traces of Midnight Blizzard’s existence go back to 2018, Microsoft says, adding that in many cases, the group looks to compromise valid accounts and use them to go deeper into the rabbit hole. In the past, the group was observed using Active Directory Federation Service (ADFS) malware named FOGGYWEB and MAGICWEB. In newer times, it became globally famous by behind behind the infamous SolarWinds attack.

What have others said about Midnight Blizzard?

In May 2021, CNBC reported of Russia’s Nobelium using USAID’s email system to distribute phishing messages. More than 3,000 malicious emails were sent at the time, with at least a quarter of victims being involved in international development, humanitarian and human rights work. While the majority of the targets were located in the United States, the victims were scattered across 24 different countries. 

Microsoft has been quite vocal in its tracking of the group. In October 2021, Tom Burt - Corporate Vice President, Customer Security & Trust at Microsoft - published a blog post on the group’s latest activity, arguing that the threat actor was behind the 2020 SolarWinds attack, as well. “We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” he explained at the time. 

At the time, Burt explained the recent activity as a fresh indicator of Russia trying to gain “long-term, systematic access” to a variety of points in the technology supply chain. A month later, a separate Microsoft article labeled Midnight Blizzard “the most sophisticated nation-state attack in history”.

Just weeks before this incident, on June 21 this year, Microsoft took to Twitter to warn its customers about Midnight Blizzard, saying the group ramped up its credential attack activity. “These attacks target governments, IT service providers, NGOs, defense industry, and critical manufacturing,” the tweet reads. “These credential attacks use a variety of password spray, brute force, and token theft techniques. Midnight Blizzard (NOBELIUM) has also conducted session replay attacks to gain initial access to cloud resources leveraging stolen sessions likely acquired via illicit sale,” Microsoft explained. 

Go deeper

If you want to learn more, make sure to read our earlier coverage of Nobelium, especially the SolarWinds hack. You should also make sure to read our in-depth guides for best firewalls, and best endpoint protection tools around.  

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.