 |
| Designed by Freepik.com |
(Naraine, 2025). In a new report published with Dutch intelligence agencies cooperating and coordinating their efforts, Redmond’s threat intelligence hunting team said that the Russian hacking group is looking heavily on the low cost end of the network crime economy: purchasing usernames and passwords that have been robbed from data thief markets for use in brute force password attacks.
Recently, Microsoft said it observed the team acquire a more precise “attacker-in-the-middle phishing attack” method that tricks the Microsoft Entra login page with a URL hijacking and a vicious QR-code arrangement to a phony European defense summit.
“We estimate that Void Blizzard, a new group that targets systems or individuals that Microsoft Threat Intelligence has seen directing surveillance actions in Russia, is using the free software attack infrastructure Evilginx to oversee the AitM phishing, which is an advanced attack where attackers get the information going between a personal user and a real website, campaign and take verification information, including the put in username and password and any internet cookies created by the server,” Microsoft said. Evilginx made public in 2017 is a universally accessible trickery tool with [attacker-in-the-middle] AitM abilities.
While the methods are by the book for federal-level cyberwarfare campaigns, the goal is very precise with a casualty list that overlaps with other Russia-linked cyber intelligencers, Microsoft said, noting that the Russian hackers are likely stealing military intelligence that can be fed back into military or political planning.
Microsoft said that NATO states and Ukraine stay the main attacking sandbox and identified a case where a Ukrainian aviation department was compromised by separate Russian APTs, which have lots of resources and go in for advanced damaging network activity that targets network intrusion for an extended period of time, showing centered attacking on flight path and space-based networks.
According to Microsoft, the Void Blizzard playbook is to the point: rob authentication, sign into Exchange or SharePoint Online, and program the input of whatever a breached user can view.
Redmond said its security intelligence center found “a collection of global cloud misuse tasks” connected to Void Blizzard and cautioned that the cyberthreat actor’s production activity against networks in important sections presents an increased risk to NATO member states and allies to Ukraine.
After getting first time access, Microsoft found the hackers misusing authorized cloud Application Program Interfaces such as Exchange Online and Microsoft Graph to specified email addresses, including any shared email addresses, and cloud-hosted files.
“When accounts are effectively infiltrated, the hacker likely programs the volume collection of cloud-hosted information (primarily email and files) and any email boxes or file shares that the infiltrated person can get into, which can include email boxes and folders that belong to other people who have given other people read authorizations,” Microsoft explained.
In a small amount of confirmed breaches, Microsoft said the cyber-terrorists snooped in on Microsoft Teams discussions and communications through the Microsoft Teams web client application.
“The threat hacker has also in some cases identified the infiltrated organization’s Microsoft Entra ID configuration using the widely available AzureHound tool to get data about the users, roles, groups, applications, and devices belonging to that occupant,” according to the documentation.
Since the middle of 2024, Microsoft said it has traced “successful infiltrations” against telcos, defense suppliers, digital services providers, healthcare, and IT.
Reference-
Naraine, Ryan. “Russian Government Hackers Caught Buying Passwords from Cybercriminals.” Securityweek, 27 May 2025, https://www.securityweek.com/russian-government-hackers-caught-buying-passwords-from-cybercriminals/. Accessed 28 May 2025.
