Data Breaches

Russian Government Hackers Caught Buying Passwords from Cybercriminals

Microsoft flags a new Kremlin hacking team buying stolen usernames and passwords from infostealer markets for use in cyberespionage attacks. 

Russian APT

Microsoft on Tuesday published technical documentation on a new Russia-linked espionage outfit it calls “Void Blizzard,” warning that the group has spent the past year quietly looting e-mail, files and even Teams chats from government and defense contractors across Europe and North America. 

In a new report published in tandem with Dutch intelligence agencies, Redmond’s threat hunting team said the Kremlin hacking team is leaning heavily on the low-cost end of the cybercrime economy: buying stolen usernames and passwords from infostealer markets for use in password-spraying attacks. 

In recent weeks, Microsoft said it watched the team adopt a more surgical “adversary-in-the-middle spear-phishing” tactic that spoofs the Microsoft Entra login page with a a typo-squatted domain and a malicious QR-code invitation to a fake European defense summit.  

“We assess that Void Blizzard is using the open-source attack framework Evilginx to conduct the AitM phishing campaign and steal authentication data, including the input username and password and any cookies generated by the server,” Microsoft said. Evilginx, publicly released in 2017, is a widely available phishing kit with [adversary-in-the-middle) AitM capabilities.

While the techniques are textbook for government-level cyberespionage campaigns, the targeting is very specific with a victim list that overlaps with other Russia-linked cyberspies, Microsoft said, noting that the Russian hackers are likely pilfering wartime intelligence that can be fed back into military or diplomatic planning. 

Microsoft said NATO states and Ukraine remain the prime hunting grounds and flagged a case where a Ukrainian aviation agency was hacked by separate Russian APTs, demonstrating focused targeting on air-traffic and aerospace networks.

Advertisement. Scroll to continue reading.

According to Microsoft, the Void Blizzard playbook is straightforward: steal credentials, log in to Exchange or SharePoint Online, and automate the download of anything a compromised user can see.    

Redmond said its threat intelligence center discovered “a cluster of worldwide cloud abuse activity” linked to Void Blizzard and warned that the threat actor’s prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine..

After gaining initial access, Microsoft caught the hackers abusing legitimate cloud APIs like Exchange Online and Microsoft Graph to enumerate mailboxes, including any shared mailboxes, and cloud-hosted files. 

“Once accounts are successfully compromised, the actor likely automates the bulk collection of cloud-hosted data (primarily email and files) and any mailboxes or file shares that the compromised user can access, which can include mailboxes and folders belonging to other users who have granted other users read permissions,” Microsoft explained.

In a small number of confirmed compromises, Microsoft said the hackers spied on Microsoft Teams conversations and messages via the Microsoft Teams web client application. 

“The threat actor has also in some cases enumerated the compromised organization’s Microsoft Entra ID configuration using the publicly available AzureHound tool to gain information about the users, roles, groups, applications, and devices belonging to that tenant,” according to the documentation.

Since mid-2024, Milcrosoft said it has tracked “successful compromises” against telcos, defense suppliers, digital services providers, healthcare and IT.

Related: Russian ‘Gamaredon’ Hackers Back at Targeting Ukraine Officials

Related: Russian Star Blizzard APT Uses ClickFix to Deploy LostKeys Malware

Related: Russian Seashell Blizzard APT Caught Hacking Critical Infrastructure

Related: Microsoft Alerts Customers to Email Theft in Midnight Blizzard Hack

Related: CISA Warns of Russian ‘Star Blizzard’ APT Spear-Phishing Operation

Related Content

Cybercrime

The suspects and their companies were previously sanctioned by the United States and its allies.

Vulnerabilities

Two flaws in Active Directory and SharePoint Server have been exploited as zero-days, and a BitLocker bug was publicly disclosed.

Government

Multiple state-sponsored APTs are compromising poorly secured devices across critical infrastructure sector networks.

Cyberwarfare

The move targeted people and entities accused of links to an online spying network that the EU claims targeted governments and carried out sabotage...

Artificial Intelligence

Microsoft's new Teams admin policy requires organizer approval for external AI bots, giving organizations greater visibility and control over automated participants in sensitive meetings.

Government

UNC5792 and UNC4221 have been targeting US government officials, military leaders, and allied personnel.

Malware & Threats

Turla has been using the backdoor against government and military organizations in Ukraine for espionage.

Cybercrime

Hundreds of C&C servers were disrupted in an operation involving law enforcement and several cybersecurity companies.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version