Recommended reading

Russia-linked hackers are attacking small businesses using fake Microsoft Entra pages

News
By published

Russian attackers are after intelligence info

Russia
Et bilde av et tastatur der Enter-knappen har påmalt et russisk flagg, med en liten gullbjørn stående på tasten. (Image credit: Shutterstock / Aleksandra Gigowska)
  • Microsoft spots fake Entra pages being distributed in phishing emails
  • The attacks targeted organizations in the West, mostly in critical infrastructure
  • The goal was to gather intelligence for the Russo-Ukrainian conflict

Russian hacking campaigns, part of the country’s wider war effort against Ukraine, are getting more aggressive, security researchers from Microsoft have claimed, after they spotted a change in how a specific threat actor, called Void Blizzard, is running its operations.

Void Blizzard, also known as Laundry Bear, would usually buy login credentials off the dark web and use them to gain access to their targets’ IT infrastructure. Once inside, the hackers would exfiltrate emails, sensitive files, and business data, and look for means to continue moving laterally throughout the organization.

However, in recent times, the group has switched from buying login credentials into stealing them itself, and to do that it started spoofing Microsoft Entra login pages.

NATO in the crosshairs

Microsoft Entra is a comprehensive identity and network access solution that many organizations use to secure access to their digital resources across both cloud and on-prem. Void Blizzard would create fake pages using typosquatted domains and then distribute them to the victims using spear phishing and similar methods.

The victims are mostly small and medium-sized businesses (SMB) located in the West, as the campaign “disproportionately” targets organizations in Ukraine and NATO member states, Microsoft says, suggesting it is actually part of Russia’s war on Ukraine, and is designed to collect intelligence from critical sectors.

That being said, the majority of the victims are in government, defense, transportation, media, NGO, and healthcare.

In some instances, the hackers targeted education, telecommunications, and law enforcement agencies, as well, with more than 20 NGOs in Europe and North America targeted.

“Void Blizzard primarily targets NATO member states and Ukraine. Many of the compromised organizations overlap with past—or, in some cases, concurrent—targeting by other well-known Russian state actors, including Forest Blizzard, Midnight Blizzard, and Secret Blizzard,” Microsoft concluded.

“This intersection suggests shared espionage and intelligence collection interests assigned to the parent organizations of these threat actors.”

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.