The Nobelium APT is launching highly targeted Teams-based phishing attacks on government and industrial targets using compromised Microsoft 365 tenants, with the aim of data theft and cyber espionage.
The Russian state-sponsored hackers behind the SolarWinds attacks are back again, now using the Microsoft Teams application to mount targeted campaigns aimed at stealing Microsoft 365 passwords, and pivoting into organizations’ Azure Active Directory environments and beyond.
Microsoft flagged the activity on Thursday, noting that the Midnight Blizzard advanced persistent threat (aka Nobelium, APT29, UNC2452, and Cozy Bear) has so far gone after around 40 government organizations, nongovernmental organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors globally.
But there are other victims, too. To carry out the attack, Midnight Blizzard is using compromised Microsoft 365 tenants, mainly small businesses, Redmond noted. Microsoft 365 has become a popular target for nation-state threats, most recently anchoring a sprawling email breach that affected government agencies in the US.
“The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a new user associated with that domain from which to send the outbound message to the target tenant,” Microsoft researchers explained in a post. “The actor uses security-themed or product name-themed keywords to create a new subdomain and new tenant name to lend legitimacy to the messages.”
The cyberattackers are posing as technical support in order to snow users into handing over their Microsoft 365 credentials and multifactor authentication (MFA) prompts — thus giving the threat actor access to those Microsoft 365 accounts and all the data and applications associated with it, which include Outlook, Teams, cloud versions of Microsoft Office, and more.
“In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only,” according to the post.
The researchers added, “Midnight Blizzard is consistent and persistent in their operational targeting, and their [cyber-espionage] objectives rarely change.”
“Now that cloud services are so ubiquitous across all types of organization, so they have also become the latest battleground for criminal and nation state sponsored threat actors,” said Darren James, senior product manager with Specops Software, via email. “This once again shows that organizations must take a multi-layered approach to combating these evolving online threats. They should enforce strong, secure passphrases which have not been breached, alongside phishing-resistant MFA, conditional access, provide training to all staff about the threat of phishing attacks and password hygiene. These steps are vital to protect organizations from this attack vector.”
