Russian hackers Midnight Blizzard poses as Microsoft employees to attack US officials

Microsoft has warned of a new spear-phishing campaign by Midnight Blizzard, a Russian-linked hacker group also known as Cozy Bear or APT29, responsible for the 2020 SolarWinds breach and last year’s attack on TeamCity servers.

The Redmond tech giant says in a recent blog post that the group has been targeting US officials just before the US presidential election. Since October 22, the group has sent targeted spear-phishing emails to over 100 organizations worldwide, including the US, European, Australian, and Japanese sectors in government, academia, and defense.

“Its focus is to collect intelligence through longstanding and dedicated espionage of foreign interests that can be traced to early 2018,” Microsoft warns about the group.

These emails, which use stolen organizational credentials and impersonate Microsoft and Amazon Web Services employees, contain Remote Desktop Protocol (RDP) files that give hackers access to sensitive files, network drives, and security keys. They contain remote desktop files connecting to hacker-controlled services.

The group has a link to Russia’s Foreign Intelligence Service, according to Microsoft. The US intelligence has previously reported that Russia is spreading disinformation about Democratic Vice-Presidential candidate Tim Walz (via The Washington Post), likely to instigate unrest and threats against election workers.

“It uses diverse initial access methods, including spear phishing, stolen credentials, supply chain attacks, compromise of on-premises environments to laterally move to the cloud, and leveraging service providers’ trust chain to gain access to downstream customers,” the Redmond company says further.

Brad Smith, Microsoft exec, has previously urged Congress to pass federal laws to regulate AI-generated deepfakes and deceptive ads ahead of the 2024 US elections. But, Congress will unlikely be enacting new AI regulations this year.