- Microsoft spots fake Entra pages being distributed in phishing emails
- The attacks targeted organizations in the West, mostly in critical infrastructure
- The goal was to gather intelligence for the Russo-Ukrainian conflict
Russian hacking campaigns, part of the country’s wider war effort against Ukraine, are getting more aggressive, security researchers from Microsoft have claimed, after they spotted a change in how a specific threat actor, called Void Blizzard, is running its operations.
Void Blizzard, also known as Laundry Bear, would usually buy login credentials off the dark web and use them to gain access to their targets’ IT infrastructure. Once inside, the hackers would exfiltrate emails, sensitive files, and business data, and look for means to continue moving laterally throughout the organization.
However, in recent times, the group has switched from buying login credentials into stealing them itself, and to do that it started spoofing Microsoft Entra login pages.
NATO in the crosshairs
Microsoft Entra is a comprehensive identity and network access solution that many organizations use to secure access to their digital resources across both cloud and on-prem. Void Blizzard would create fake pages using typosquatted domains and then distribute them to the victims using spear phishing and similar methods.
The victims are mostly small and medium-sized businesses (SMB) located in the West, as the campaign “disproportionately” targets organizations in Ukraine and NATO member states, Microsoft says, suggesting it is actually part of Russia’s war on Ukraine, and is designed to collect intelligence from critical sectors.
That being said, the majority of the victims are in government, defense, transportation, media, NGO, and healthcare.
In some instances, the hackers targeted education, telecommunications, and law enforcement agencies, as well, with more than 20 NGOs in Europe and North America targeted.
“Void Blizzard primarily targets NATO member states and Ukraine. Many of the compromised organizations overlap with past—or, in some cases, concurrent—targeting by other well-known Russian state actors, including Forest Blizzard, Midnight Blizzard, and Secret Blizzard,” Microsoft concluded.
“This intersection suggests shared espionage and intelligence collection interests assigned to the parent organizations of these threat actors.”
