In a recent report by Microsoft Threat Intelligence, the threat actor known as Midnight Blizzard (previously tracked as NOBELIUM) has been identified conducting highly targeted social engineering attacks using credential theft phishing lures sent through Microsoft Teams chats. This latest campaign showcases the threat actor’s continued efforts to achieve their objectives through a combination of new and familiar techniques.
Who is Midnight Blizzard?
Midnight Blizzard is a Russia-based group known as the Foreign Intelligence Service of the Russian Federation, or SVR, according to US and UK governments. They are known by other security vendors as Cozy Bear, UNC2452, and APT29. Their tactics involve long-term and dedicated espionage dating back to at least early 2018, relying on various initial access methods, such as stolen credentials, supply chain attacks, and exploiting on-premises & cloud environments.
What does their attack campaign entail?
Microsoft’s investigation has indicated that fewer than 40 global organizations have been affected by this latest campaign. The targeted sectors suggest that Midnight Blizzard’s objectives primarily revolve around espionage activities, focusing on:
- Non-government organizations (NGOs)
- IT services
- Discrete manufacturing
- Media sectors
This campaign involves the use of previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Midnight Blizzard then leverages these domains to send Teams messages containing phishing lures aimed at stealing credentials from targeted organizations.
The attack chain consists of the threat actor targeting users with either valid account credentials or accounts configured with passwordless authentication. Once the user attempts to authenticate through MFA, the threat actor sends a Teams message, coercing the user to enter the code displayed on their mobile device’s Microsoft Authenticator app. Upon successful entry of the code, the threat actor gains access to the user’s Microsoft 365 account.
Microsoft recommends several mitigations to reduce the risk of this threat, including:
- deploying phishing-resistant authentication methods
- implementing conditional access authentication strength
- educating users about social engineering and credential phishing attacks
As the threat of targeted social engineering attacks continues to evolve, organizations must stay vigilant and implement robust security measures to protect their data and systems from sophisticated threat actors like Midnight Blizzard. By following security best practices and remaining informed about emerging threats, organizations can enhance their defense against potential cyberattacks.