Hackers working for the Russian Foreign Intelligence Service (SVR) attacked about 40 selected “high-value” targets around the world by sending phishing emails while posing as technical support for the Microsoft Teams application. Microsoft security teams have identified the hackers as “Midnight Blizzard”, a Russian hacking team that usually works for the SVR and was previously known as “Nobelium”.
The targets included government departments, NGOs, charities and tech companies. The hack was conducted by putting a message on Teams suggesting that the user contact tech support. If the user clicked on the link then they were directed to a malicious site controlled by the hackers. The attack was not sophisticated, little better than a normal phishing attack, but what makes this attack unusual is that the hackers were able to send messages that appeared to come from legitimate Microsoft sources: The suspect address for the emails was onmicrosoft.com – close enough to tempt the unwary. Teams is used by a variety of high level organisations including governments because it is supposedly trustworthy. For instance, the UK’s court and judicial system uses it. Fortunately, this attack was spotted in time but, as is so often said, your enemy only has to be lucky once.