"Beware: Russian Hackers Are Impersonating IT Support on Microsoft Teams to Deploy Ransomware—Here's How to Stay Safe!"

Recent reports have highlighted a concerning tactic employed by Russian cybercriminal groups, wherein they impersonate IT support personnel on Microsoft Teams to infiltrate organizational networks and deploy ransomware. The attackers initiate their scheme by overwhelming targeted employees with a barrage of spam emails—sometimes up to 3,000 within an hour—to create a sense of urgency and confusion. Subsequently, posing as IT support staff, they contact the victims via Microsoft Teams, offering assistance to resolve the purported email issue. Once trust is established, the attackers persuade the victims to grant remote access to their computers, often through screen-sharing features or tools like Microsoft Quick Assist. This access enables the cybercriminals to install ransomware, which encrypts data and disrupts network operations, leading to significant operational and financial repercussions for the affected organizations.

The cybersecurity firm Sophos has identified at least 15 such incidents over a recent three-month period, with a noticeable increase in the latter half of that timeframe. The attacks have been linked to Russian cybercrime groups, notably Fin7 (also known as Carbon Spider, Elbrus, and Sangria Tempest) and Storm-1811. These groups exploit the default settings in Microsoft Teams that allow external users to communicate with internal staff, a feature that many organizations may overlook. Given that numerous companies utilize external managed service providers for IT support, receiving unsolicited Teams calls from individuals claiming to be help desk personnel might not immediately raise suspicion, especially when combined with the overwhelming influx of spam emails.

This method of impersonation underscores a broader trend in cyber threats, where attackers leverage social engineering tactics to exploit human trust and technological vulnerabilities. The increasing sophistication of such attacks highlights the critical need for organizations to reassess their cybersecurity measures, particularly concerning communication platforms like Microsoft Teams. Implementing stricter controls on external communications, enhancing employee training to recognize phishing attempts, and configuring security settings to limit unsolicited external interactions are essential steps in mitigating these risks.

The UK government has recognized the severity of ransomware threats and is considering measures such as banning public bodies from paying ransoms. This approach aims to disrupt the economic incentives for cybercriminals and encourages organizations to invest in robust cybersecurity defenses. The evolving tactics of groups like Fin7 and Storm-1811 serve as a stark reminder of the dynamic nature of cyber threats and the importance of proactive and comprehensive security strategies.

Sources

1. "Russian hackers pose as remote IT staff on Microsoft Teams" – The Times

This article reports on Russian cybercriminals impersonating remote tech-support workers on Microsoft Teams to access networks and install ransomware. The attackers begin by overwhelming employees with spam emails and then pose as IT support on Teams to gain remote access, enabling them to freeze networks and steal data for ransom. Sophos has identified 15 such incidents in the past three months, linking the hackers to Russian criminal gangs Fin7 and Storm-1811. The method exploits Microsoft Teams' default setting that allows external contacts to communicate with internal staff. The article also notes that ransomware attacks are a significant cybersecurity threat, prompting the UK government to propose a ban on public bodies paying ransoms to discourage cybercrime and emphasize the need for robust cyber defenses.

The Times & The Sunday Times

2. "Russian ransomware hackers increasingly posing as tech support on Microsoft Teams" – The Record

This piece highlights a scam where Russian cybercriminals pose as tech support on Microsoft Teams to convince victims they have an IT issue, tricking employees into allowing them to install ransomware on their networks. Sophos reported more than 15 incidents where attackers used Microsoft Office 365's default service settings to socially engineer their way onto a victim's system. The report finds an overlap between one of these attackers and a group tracked as Storm-1811, with another group possibly connected to FIN7. The attackers use external accounts to message targets over Teams, posing as IT support or a "Help Desk Manager," and push victims to permit remote screen control sessions through Teams or Microsoft Quick Assist, which is then used to deploy malware.

The Record from Recorded Future

3. "Ransomware groups pose as fake tech support over Teams" – CyberScoop

This article discusses how ransomware groups are leveraging Microsoft 365 instances, Microsoft Teams, and email bombing tactics to deliver ransomware. Sophos identified at least two distinct clusters of hacking activity using these tactics to infect targets between November and December 2024. The attackers inundate individuals with emails to create a sense of urgency, then use an external account to message one of the targets over Microsoft Teams, posing as the organization's IT support or a "Help Desk Manager." Under the guise of assistance, the actors push the victim to permit a remote screen control session through Teams or Microsoft Quick Assist, which is then used to deploy malware on the victim's device. The article notes that posing as tech support is a well-known social engineering scheme for malicious hackers.

CyberScoop

4. "Russian ransomware hackers impersonate IT support on Microsoft Teams" – teiss

This report reveals that Russian cybercriminals are increasingly posing as tech support staff on Microsoft Teams to infiltrate corporate networks and deploy ransomware. The attackers overwhelm employees with spam emails and then contact them via Teams, pretending to be IT support to gain remote access and install ransomware. Sophos has observed more than 15 such incidents, linking them to Russian cybercrime groups Fin7 and Storm-1811. The article emphasizes the need for organizations to be vigilant and implement robust cybersecurity measures to counteract these sophisticated social engineering tactics.

teiss

These articles collectively underscore the evolving tactics of cybercriminals and the critical importance of robust cybersecurity measures, employee training, and vigilant monitoring of communication platforms to prevent such sophisticated attacks.