FlagThis - #russianhackers

Russian threat actors have been actively targeting Microsoft 365 accounts belonging to individuals and organizations with connections to Ukraine and human rights causes. These malicious actors are exploiting legitimate OAuth 2.0 authentication workflows to gain unauthorized access. Researchers at Volexity have been monitoring these campaigns since early March 2025, observing a shift in tactics from previous device code phishing attempts to methods that rely more heavily on direct interaction with targets. These new attacks involve convincing victims to click on links and provide Microsoft-generated codes.

These campaigns involve sophisticated social engineering techniques, where attackers impersonate officials from various European nations and, in one instance, utilized a compromised Ukrainian Government account. The attackers are using messaging apps like Signal and WhatsApp to contact their targets, inviting them to join fake video calls or register for private meetings with European political figures or Ukraine-related events. The goal is to lure victims into clicking links hosted on Microsoft 365 infrastructure, ultimately tricking them into sharing Microsoft Authorization codes.

Volexity is tracking at least two suspected Russian threat actors, identified as UTA0352 and UTA0355, believed to be behind these attacks. The primary tactic involves requesting Microsoft Authorization codes from victims, which then allows the attackers to join attacker-controlled devices to Entra ID (formerly Azure AD) and download emails and other account-related data. This activity demonstrates a continuous effort by Russian threat actors to refine their techniques and circumvent security measures, highlighting the ongoing threat to individuals and organizations associated with Ukraine and human rights.


References :

• cyberpress.org: Cybersecurity firm Volexity has identified a series of sophisticated cyberattacks orchestrated by Russian threat actors abusing Microsoft’s OAuth 2.0 authentication workflows.
• securityonline.info: Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
• The Hacker News: Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp
• www.volexity.com: Volexity blog on Russian Threat Actors Target Microsoft 365 Using OAuth Authorization Code Theft
• Virus Bulletin: Volexity researchers observed multiple Russian threat actors targeting individuals & organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows.
• bsky.app: Russian threat actors have been abusing legitimate OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts of employees of organizations related to Ukraine and human rights.
• Security Risk Advisors: Russian Threat Actors Target Microsoft 365 Using OAuth Authorization Code Theft
• The DefendOps Diaries: Learn how cybercriminals exploit OAuth 2.0 to hijack Microsoft 365 accounts and discover strategies to mitigate these sophisticated threats.
• Email Security - Blog: Detailed analysis of the phishing technique.
• Virus Bulletin: Russian APTs targeting Ukraine supporters with sophisticated Microsoft 365 OAuth phishing.
• www.helpnetsecurity.com: Attackers phish OAuth codes, take over Microsoft 365 accounts
• gbhackers.com: Russian Hackers Exploit Microsoft OAuth 2.0 to Target Organizations
• BleepingComputer: Russian hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts
• Cyber Security News: CyberPress on Russian Hackers Abuse Microsoft OAuth 2.0 to Breach Organizations
• www.sentinelone.com: AI empowers organizations to optimize detection, Russia-nexus actors exploit MS OAuth workflows, and cybercrime hit $16B in losses in 2024.
• slashnext.com: Technical details and vulnerabilities highlighted.
• www.scworld.com: Explanation of the tool used in the attack.

Classification:

• HashTags: #OAuthPhishing #Microsoft365 #RussianAPT
• Company: Microsoft
• Target: Ukraine supporters and human rights organizations
• Attacker: Russian APT
• Product: Microsoft 365
• Feature: OAuth Authorization Code Theft
• Type: Phishing
• Severity: Major

Russian state-aligned hackers are exploiting the "Linked Devices" feature in Signal Messenger to conduct cyber-espionage campaigns. Google's Threat Intelligence Group (GTIG) has uncovered these campaigns, revealing that the hackers are using phishing tactics to gain unauthorized access to Signal accounts. These campaigns involve tricking users into linking their devices to systems controlled by the attackers.

Russian threat actors are launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest. The hackers employ sophisticated methods to trick targets into linking their Signal account to a device controlled by the attacker, compromising their secure communications.


References :

• cyberinsider.com: Russian Hackers Exploit Signal’s Linked Devices to Spy on Users
• BleepingComputer: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
• www.bleepingcomputer.com: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
• CyberInsider: Google's Threat Intelligence Group (GTIG) has uncovered a series of cyber-espionage campaigns by Russian state-aligned hackers targeting Signal Messenger accounts.
• securebulletin.com: Russia-Aligned actors intensify targeting of Signal Messenger
• securityaffairs.com: Russia-linked threat actors exploit Signal messenger
• Talkback Resources: Russian Groups Target Signal Messenger in Spy Campaign [app] [social]
• cloud.google.com: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine.
• bsky.app: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine. https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
• cyble.com: Russia-Linked Actors Exploiting Signal Messenger’s “Linked Devicesâ€� Feature for Espionage in Ukraine
• Talkback Resources: State-aligned threat actors, particularly from Russia, are targeting Signal Messenger accounts through phishing campaigns to access sensitive government and military communications, exploiting the app's "linked devices" feature for eavesdropping on secure conversations.
• cyberscoop.com: Russian-aligned threat groups dupe Ukrainian targets via Signal
• Talkback Resources: Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger [social]
• Threats | CyberScoop: Russia-aligned threat groups dupe Ukrainian targets via Signal
• www.onfocus.com: Google Threats on Signals of Trouble
• cyberriskleaders.com: Russian Hackers Targeting Ukrainian Signal Users with Malicious QR Codes
• arstechnica.com: Russia-aligned hackers are targeting Signal users with device-linking QR codes Swapping QR codes in group invites and artillery targeting are latest ploys.
• MeatMutts: Google Warns of Russian Hacking Campaign Targeting Ukraine’s Military on Signal
• Talkback Resources: Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes
• thecyberexpress.com: Russian state-sponsored hackers are ramping up efforts to compromise Signal messenger accounts, particularly those used by Ukrainian military personnel, government officials, and other key figures.

Classification:

• HashTags: #SignalMessenger #CyberEspionage #RussianHackers
• Company: Google
• Target: Signal Users
• Attacker: Russian APT
• Product: Signal
• Feature: Linked Devices
• Malware: Linked Signal Devices
• Type: Espionage
• Severity: Major