- Microsoft sees fake entra -sides that are distributed in phishing -e emails
- The attacks targeted organizations in the West, mostly in critical infrastructure
- The goal was to gather intelligence for the Russo Ukrainian conflict
Russian hacking campaigns, part of the country’s wider war effort against Ukraine, become more aggressive, Microsoft security researchers have claimed after discovering a change in how a particular threat actor, called Void Blizzard, runs his operations.
Void Blizzard, also known as Laundry, would usually buy login -credentials from the Dark Web and use them to access their target’s IT infrastructure. Once inside, the hackers would exfilter e emails, sensitive files and business data and look for funds to continue moving in lateral throughout the organization.
In recent times, however, the group has changed from purchasing login credentials to stealing them themselves, and to do so it began to counterfeit Microsoft Entra Login pages.
NATO at the intersection
Microsoft Entra is a comprehensive identity and network access solution that many organizations use to ensure access to their digital resources across both Sky and On-Prem. Void Blizzard would create fake pages using typosquatted domains and then distribute them to the victims using spear phishing and similar methods.
The victims are mostly small and medium-sized businesses (SMB) located in the West, as the campaign “Dispressively” targets organizations in Ukraine and NATO member countries, says Microsoft, which suggests that it is actually part of Russia’s war against Ukraine and is designed to collect intelligence from critical sectors.
That said, the majority of victims in government, defense, transport, media, NGO and healthcare are.
In some cases, the hackers also targeted education, telecommunications and law enforcement authorities with more than 20 NGOs in Europe and North America targeted.
“Void Blizzard is primarily targeted at NATO Member States and Ukraine. Many of the compromised organizations overlap with past-or in some cases simultaneously-targeted by other well-known Russian state actors, including Skovblizzard, midnight Blizzard and Secret Blizzard,” Microsoft concluded.
“This cross suggests shared espionage and intelligence collection interests assigned to the parent organizations for these threat actors.”
