Posted on August 3, 2023 at 8:03 PM

Russian State-Sponsored Hackers Impersonated Microsoft Teams To Hack Organizations

State-sponsored hacker groups based in Russia impersonated technical support staff working as Microsoft Teams. The hackers impersonated Microsoft Teams to launch hacking campaigns against various global firms and government agencies.

Russian hackers impersonated Microsoft Teams

Microsoft security researchers published a blog post saying that the hacking campaign was conducted by a Russian state-sponsored hacker group that Microsoft tracks as Midnight Blizzard. This hacker group is also known as APT29 or Cozy Bear.

The hacker group is linked to the 2020 hacking attack on SolarWinds that caused significant damage by using malware to run an espionage campaign. This hacker group is part of the Russian Foreign Intelligence Service, SVR. Its association with the SVR has been linked to law enforcement agencies based in the UK and the US.

These hacking attacks commenced towards the end of May. The campaign saw this hacker group using Microsoft 365 accounts that were compromised. These accounts were used in creating new support-themed domains that were technical.

The hackers behind the hacking campaign used the domains to send messages to Microsoft Teams. The messages focused on manipulating users to secure approval and facilitate multifactor authentication prompts. The goal behind the activities of the hackers was to obtain user accounts and exfiltrate sensitive information from users.

“If the target user accepts the message request, the user then receives a Microsoft Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app in their mobile device,” Microsoft said.

Microsoft has already commenced an investigation into this hacking campaign. The analysis has deduced that less than 40 unique global organizations were targeted, and the threat actors breached their accounts. It noted that the targeted parties included non-government entities and government agencies.

The other organizations this hacking campaign targets include IT organizations, technology, media sectors, and discrete manufacturing. The organizations compromised during this hacking campaign have not been named. However, Microsoft has said the hacking campaign appears to be an espionage attack.

The tech giant has also mitigated the actions of the threat actor and barred them from using the domains. The company has also said it was still investigating this hacking activity and working towards mending the effects of the hacking campaign. Microsoft also said it had notified the customers targeted or compromised in the hacking attack, adding that they had crucial information to improve their security.

The tech giant also said that it had launched a probe into the precursory attacks launched by the hackers to compromise legitimate Azure tenants and deploy homoglyph domains. These domains usually use similar features in the font letter to impersonate the legitimate domains in these social engineering hacking attacks.

Chinese hackers target Microsoft to compromise US government employees

The hacking exploit targeting Microsoft Teams was reported shortly after the tech giant confirmed another breach caused by Chinese state-sponsored hackers. These hackers exploited a security flaw within the Microsoft Cloud email service to obtain access to the email accounts owned by US government employees.

Microsoft has tracked the hacker group behind this campaign as Storm-0558. The tech giant claimed that the hackers accessed around 25 email accounts, including those owned by government agencies. The exploit also targeted consumer accounts of individuals working at these government agencies.

Microsoft used the word “Storm” as a nickname for hacker groups that are still new or whose activity is still under study. The tech giant said that the Storm-0558 group was behind the hacking exploit.

One government agency this hacking group targeted was the State Department. According to CNN, the State Department alerted Microsoft about this hacking campaign that affected some employees before the patch was released.

Microsoft has investigated this hacking campaign and noted that Chinese-based hackers were behind the exploit. The firm said that the actions of the hacker group demonstrated that a well-resourced actor did the exploit to obtain access to email accounts through Outlook Web Access in Exchange Online.

Microsoft has said that the hackers behind the hacking campaign exploited a token validation issue to impersonate users on Azure AD and obtain access to enterprise email accounts. The hack also raised criticism over how Microsoft handled the issue because some businesses could not access logs to determine how the breach happened.