Russian Government Hackers Caught Buying Passwords from Cybercriminals

Microsoft on Tuesday published technical documentation on a new Russia-linked espionage outfit it calls “Void Blizzard,” warning that the group has spent the past year quietly looting e-mail, files and even Teams chats from government and defense contractors across Europe and North America.

In a new report published in tandem with Dutch intelligence agencies, Redmond’s threat hunting team said the Kremlin hacking team is leaning heavily on the low-cost end of the cybercrime economy: buying stolen usernames and passwords from infostealer markets for use in password-spraying attacks.

In recent weeks, Microsoft said it watched the team adopt a more surgical “adversary-in-the-middle spear-phishing” tactic that spoofs the Microsoft Entra login page with a a typo-squatted domain and a malicious QR-code invitation to a fake European defense summit.

“We assess that Void Blizzard is using the open-source attack framework Evilginx to conduct the AitM phishing campaign and steal authentication data, including ...