Russian Foreign Intelligence Campaign Targets Around 40 Organizations Globally
A Russian espionage group attacked multiple organizations to steal credentials using Microsoft Teams chats that appear to originate from technical support.
Microsoft on Wednesday attributed the activity to Midnight Blizzard, previously tracked by the computing giant as Nobelium and also known as Cozy Bear and APT29. The actor used previously compromised Microsoft 365 accounts owned by small businesses to create new domains that appear as technical support entities, Microsoft said. The campaign has affected fewer than 40 organizations since May.
Combining past and new attack techniques, the hacker set up domains and accounts to mimic a technical support presence and tried to get Teams users to approve multifactor authentication prompts.
The White House in 2021 formally linked the threat actor to the Russian Foreign Intelligence Service. It has a history of targeting industries such as healthcare, pharmaceuticals, academia, energy, financial, government, media, technology and think tanks. The group was behind the SolarWinds’ Orion attack in 2020.
Microsoft said victims of its latest campaign include governmental agencies, nongovernment organizations and private sector firms in the IT services, technology, manufacturing and media sectors.
The Russian hackers are using token theft techniques – a way to steal authentication tokens from users or systems – for initial access. Other attempts involve spear-phishing, password spraying, brute forcing and compromising valid accounts and authentication mechanisms.
The tech giant said it had mitigated the actor from using the domains and is working to remediate the impact of the attack.
Microsoft noticed Midnight Blizzard first taking control of small businesses’ Microsoft 365 hacked accounts and launching deceptive attacks on the companies. To make their attacks seem legitimate, the hackers change the names of the compromised accounts and add a new subdomain such as
If a target has multifactor authentication, the hackers tell the victim to complete the logon process by entering the one-time code, which gives the hackers access to the victim’s account.
Post-compromise activity includes information theft from the compromised Microsoft 365 tenant. In some cases, Microsoft observed that the hacker attempts to “add a device to the organization as a managed device via Microsoft Entra ID, likely to circumvent conditional access policies configured to restrict access to specific resources to managed devices only.”
Recently, researchers at Recorded Future reported that a Russian intelligence hacking campaign by APT29 had actively targeted European diplomats and think tanks as part of an espionage operation that lasted nearly six months (see: European Governments Targeted in Russian Espionage Campaign).
In April, the Polish CERT and Military Counterintelligence Service warned of an APT29 campaign that had used EnvyScout malware to target diplomats associated with NATO and the European Union (see: Russian APT Hackers Actively Targeting European NATO Allies).