Russian Hacker Group ‘Midnight Blizzard’ Behind Microsoft Teams Cyber Attack

Aug 3, 2023

In a recent incident involving a Microsoft Teams cyber attack, the tech giant has attributed the malicious campaign to a notorious Russian hacker collective known as Midnight Blizzard hacking group.

According to Microsoft researchers, this government-linked hacking group has been orchestrating dozens of highly targeted phishing attacks to steal login credentials from organizations globally. 

The Midnight Blizzard hacking group, also known as NOBELIUM, Cozy Bear, or APT29, is associated with the Foreign Intelligence Service of the Russian Federation.

Their strategies primarily revolve around exploiting Microsoft 365 accounts, which have a history of vulnerabilities in the past.

They often utilize these compromised Microsoft 365 accounts to establish seemingly legitimate domains to target unsuspecting victims.

Microsoft has also revealed the tactics employed by the threat actor and detailed the events of the Microsoft Teams cyber attack incidents.

“In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities”, reads the blog post by Microsoft. 

Microsoft Teams Cyber Attack, and a Closer Look at Midnight Blizzard

According to the Microsoft blog post, the Midnight Blizzard hacking group uses social engineering and phishing attacks to obtain valid account credentials from targeted users or focus on users with passwordless authentication configured on their accounts.

In the latter case, the users are required to enter a code displayed during the authentication flow into the Microsoft Authenticator app on their mobile devices.

The hackers send messages to targeted users over Microsoft Teams, pretending to be part of technical support. The victims are then prompted to enter the code into the Microsoft Authenticator app, which grants the hacker access to their Microsoft 365 accounts.

With this access, the hackers attempt to steal sensitive information or add unauthorized devices to the organization’s account to bypass conditional access policies.

Microsoft has taken measures to prevent the group from using the compromised domains.

However, they continue investigating the incident and the broader campaign to compromise legitimate Azure tenants. Microsoft has urged organizations to fortify their defenses and practice security’s best practices. 

As with any social engineering lures, we encourage organizations to reinforce security best practices to all users and reinforce that any authentication requests not initiated by the user should be treated as malicious,” says Microsoft. 

Moreover, the Midnight Blizzard hacking group, responsible for the recent Microsoft Teams cyber attack incidents, has a history of employing token theft, authentication spear-phishing, password spray, brute force, and other credential attacks to gain initial access to targeted environments.

The latest campaign, AKA “Microsoft Teams cyber attack, ” highlights their persistent efforts to infiltrate accounts and their ongoing threats to organizations globally.

Previously, a “critical” vulnerability in Microsoft’s Azure cloud platform was revealed by Tenable researchers and the tech giant was accused of lack of transparency and irresponsibility in handling security issues. The vulnerability allows unauthorized access to customers’ data and applications, posing a significant risk.

Tenable reported the issue to Microsoft on March 30, but the fix was not implemented until July 6, and even then, it was deemed incomplete. “They just do not have a great passion for [reducing] the risk that their customers incur when using the Microsoft Azure cloud platform,” said Tenable CEO Amit Yoran, as reported by CRN.

Amidst this Microsoft Teams cyber attack, the tech giant has also faced criticism for improper handling of security vulnerabilities in its platforms, particularly in Azure.

Yoran also accused Microsoft of negligence in addressing security flaws. He expressed concern over Microsoft’s culture of downplaying vulnerabilities and failing to prioritize their resolution promptly.

Yoran’s criticisms come from a recently disclosed critical vulnerability in Microsoft Azure that allowed unauthorized access to data and applications belonging to other customers. 

Who is the Midnight Blizzard hacking group?

The Midnight Blizzard hacking group, the hacker collective behind the recent Microsoft Teams cyber attack spree, is a notorious hacking group with links to the Russian government.

Also known by various other names such as NOBELIUM, Cozy Bear, and APT29, the group has been active since 2008. It is one of the most sophisticated and persistent threat actors in the cyber realm and has been associated with multiple high-profile cyber attacks.

The group’s primary focus was on conducting espionage and intelligence-gathering operations against various targets, including governments, international organizations, defense contractors, technology companies, and other entities of strategic interest.

Their activities are often characterized by their long-term campaigns and careful selection of targets.

The Midnight Blizzard hacking group is known for using advanced hacking techniques, including zero-day exploits, custom malware, and social engineering tactics.

They have been involved in various advanced cyber attack methods to gain unauthorized access to systems, including spear phishing, watering hole attacks, and zero-day exploits. Moreover, they have increasingly targeted cloud-based services like Microsoft 365 and Azure to access sensitive data.

Additionally, the group uses credential theft techniques to move laterally within a targeted network and escalate privileges. Their highly sophisticated tactics pose significant threats to individuals and organizations alike.

One of the most notable incidents involving the Midnight Blizzard hacking group was their involvement in hacking the Democratic National Committee (DNC) during the 2016 US presidential election.

The group’s activities, in that case, raised significant concerns about foreign interference in democratic processes.

The group’s motivations are widely believed to be aligned with Russian strategic interests, and there is strong evidence suggesting that it operates under the auspices of Russian intelligence agencies.

Microsoft believes that the Microsoft Teams cyber attack by the Midnight Blizzard hacking group indicates “specific espionage objectives” directed towards “government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors”, says Microsoft.

However, the tech giant affirms that it has thwarted the malicious actor from exploiting the domains while investigating the Microsoft Teams cyberattack incidents.

As part of their comprehensive response to observed nation-state actor activities, Microsoft has taken the initiative to directly notify affected customers, equipping them with vital information to fortify their digital ecosystems.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Get Free Report & Network Analysis

Please check your email for the free report.