- Microsoft identifies the false pages entail distributed in phishing emails
- The attacks targeted organizations in the West, mainly in critical infrastructure
- The objective was to collect information for the Russian-Ukrainian conflict
Russian hacking campaigns, which are part of the country’s broader war efforts against Ukraine, are becoming more and more aggressive, Microsoft’s security researchers said, after identifying a change in the way a specific threat actor called Void Blizzard, manages his operations.
Void Blizzard, also known as Laundry Bear, would generally buy connection identification information on the Dark web and use them to access the computer infrastructure of their targets. Once inside, hackers exfiltrate emails, sensitive files and commercial data and are looking for means to continue to move laterally throughout the organization.
However, in recent times, the group has passed from the purchase of connection identification to steal them itself, and to do this, it has started to usurp the Microsoft Entrance connection pages.
NATO in the reticle
Microsoft Entre is a complete identity and network access solution that many organizations use to secure access to their digital resources both in the cloud and on site. Void Blizzard would create false pages using typosquatated areas, then distribute them to the victims using spear phishing and similar methods.
The victims are mostly small and medium -sized enterprises (SMB) located in the West, because the target campaign “disproportionately” organizations in Ukraine and NATO member states, known as Microsoft, suggesting that this is in fact part of the Russian war against Ukraine and is designed to collect the intelligence of critical sectors.
That said, the majority of victims are in government, defense, transport, media, NGOs and health care.
In some cases, pirates have targeted education, telecommunications and law enforcement organizations, with more than 20 NGOs in Europe and targeted North America.
“Void Blizzard mainly targets NATO member states and Ukraine. Many compromise organizations rides – or, in some cases, simultaneous – by other well -known Russian state actors, notably Forest Blizzard, Midnight Blizzard and Secret Blizzard,” concluded Microsoft.
“This intersection suggests that shared interests in the spying and intelligence collection assigned to the parents’ organizations of these threat actors.”
