Russian Government Hackers Caught Buying Passwords from Cybercriminals

Microsoft on Tuesday published technical documentation on a new Russia-linked espionage outfit it calls “Void Blizzard,” warning that the group has spent the past year quietly looting e-mail, files and even Teams chats from government and defense contractors across Europe and North America.

In a new report published in tandem with Dutch intelligence agencies, Redmond’s threat hunting team said the Kremlin hacking team is leaning heavily on the low-cost end of the cybercrime economy: buying stolen usernames and passwords from infostealer markets for use in password-spraying attacks.

In recent weeks, Microsoft said it watched the team adopt a more surgical “adversary-in-the-middle spear-phishing” tactic that spoofs the Microsoft Entra login page with a a typo-squatted domain and a malicious QR-code invitation to a fake European defense summit.

“We assess that Void Blizzard is using the open-source attack framework Evilginx to conduct the AitM phishing campaign and steal authentication data, including the input username and password and any cookies generated by the server,” Microsoft said. Evilginx, publicly released in 2017, is a widely available phishing kit with [adversary-in-the-middle) AitM capabilities.

While the techniques are textbook for government-level cyberespionage campaigns, the targeting is very specific with a victim list that overlaps with other Russia-linked cyberspies, Microsoft said, noting that the Russian hackers are likely pilfering wartime intelligence that can be fed back into military or diplomatic planning.

Microsoft said NATO states and Ukraine remain the prime hunting grounds and flagged a case where a Ukrainian aviation agency was hacked by separate Russian APTs, demonstrating focused targeting on air-traffic and aerospace networks.

According to Microsoft, the Void Blizzard playbook is straightforward: steal credentials, log in to Exchange or SharePoint Online, and automate the download of anything a compromised user can see.

Redmond said its threat intelligence center discovered “a cluster of worldwide cloud abuse activity” linked to Void Blizzard and warned that the threat actor’s prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine..

After gaining initial access, Microsoft caught the hackers abusing legitimate cloud APIs like Exchange Online and Microsoft Graph to enumerate mailboxes, including any shared mailboxes, and cloud-hosted files.

“Once accounts are successfully compromised, the actor likely automates the bulk collection of cloud-hosted data (primarily email and files) and any mailboxes or file shares that the compromised user can access, which can include mailboxes and folders belonging to other users who have granted other users read permissions,” Microsoft explained.

In a small number of confirmed compromises, Microsoft said the hackers spied on Microsoft Teams conversations and messages via the Microsoft Teams web client application.

“The threat actor has also in some cases enumerated the compromised organization’s Microsoft Entra ID configuration using the publicly available AzureHound tool to gain information about the users, roles, groups, applications, and devices belonging to that tenant,” according to the documentation.

Since mid-2024, Milcrosoft said it has tracked “successful compromises” against telcos, defense suppliers, digital services providers, healthcare and IT.

– Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Published courtesy of SecurityWeek.