This article is more than 1 year old
Russia's Cozy Bear is back and hitting Microsoft Teams to phish top targets
Plus: Tenable CEO blasts Redmond's bug disclosure habits
An infamous Kremlin-backed gang has been using Microsoft Teams chats in attempts to phish marks in governments, NGOs, and IT businesses, according to the Windows giant.
In its latest crime spree, a crew that Microsoft Threat Intelligence now tracks as Midnight Blizzard uses previously compromised Microsoft 365 tenants to create domains that masquerade as organizations offering tech support. The gang then uses these domains to send Teams chat messages to targets in hope they follow links to webpages that phish their credentials – trick victims into entering their login details, basically.
Microsoft used to call this group Nobelium, while other security researchers track the Russian gang as APT29 or Cozy Bear. This group, which has been linked to Russia's Foreign Intelligence Service, is the crew accused of compromising the Democratic National Committee before the 2016 election and pulled off the SolarWinds supply chain attack.
"Our current investigation indicates this campaign has affected fewer than 40 unique global organizations," Redmond said in a write-up.
"The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors."
As with any phishing campaign, this one starts with a lure — someone from outside the victim's organization claiming to be from tech support or a security team. If the victim OKs the miscreants' request to chat, the phisher then tries to trick their mark into entering a code into the Microsoft authenticator app on their mobile device, giving the criminal a token to authenticate as the victim and take over the user's 365 account to pillage the information within.
- US senator victim-blames Microsoft for Chinese hack
- Microsoft admits unauthorized access to Exchange Online, blames Chinese gang
- Stolen Microsoft key may have opened up a lot more than US govt email inboxes
- Azure issues not adequately fixed for months, complain bug hunters
"In some cases, the actor attempts to add a device to the organization as a managed device via Microsoft Entra ID (formerly Azure Active Directory), likely an attempt to circumvent conditional access policies configured to restrict access to specific resources to managed devices only," Microsoft's threat intel team explained.
Microsoft also provided guidance to help organizations identify users targeted by these Teams phishing lures, as well as a list of subdomains controlled by Midnight Blizzard.
While we applaud Redmond for getting out ahead of the latest criminal efforts to compromise accounts, the timing is unfortunate as the Windows giant is already fighting several other security fires affecting its products and users.
In July Microsoft admitted that Chinese spies broke into Exchange Online email accounts, including those belonging to the US Department of State and the US Department of Commerce.
Last week, US Senator Ron Wyden (D-OR) blamed Microsoft in scathing terms for the incident and demanded three separate government agencies launch investigations and hold Redmond responsible for "negligent cybersecurity practices."
Then on Wednesday the US House Committee on Oversight and Accountability opened an investigation into the Chinese cyber snooping on government agencies.
In separate letters sent to Secretary of State Antony Blinken [PDF] and Secretary of Commerce Gina Raimondo [PDF], whose Microsoft email account was among those compromised, the lawmakers said the government break-ins "reflects a new level of skill and sophistication from China's hackers."
"The incident even raises the possibility that Chinese hackers may be able to access high-level computer networks and remain undetected for months if not years," the letters continue.
The elected officials requested staff briefings with both federal agencies "as soon as possible but no later than August 9," and said they want to know details about the discovery and impact of the intrusion, how each department responded, and what they are doing to prevent future failings. ®