At a glance.
- Russian threat actors target Microsoft 365 accounts.
- Suspected New IRA members charged for possessing information from PSNI's 2023 data breach.
- Chinese espionage actor may be moonlighting as ransomware attacker.
Russian threat actors target Microsoft 365 accounts.
Volexity and Microsoft have published separate reports warning that multiple Russian threat actors are launching spearphishing attacks designed to compromise Microsoft 365 accounts. The threat actors are impersonating individuals from the US State Department, the Ukrainian Ministry of Defence, the European Union Parliament, and prominent research institutions. Volexity attributes the campaigns to at least three different Russian groups, including CozyLarch (which overlaps with Cozy Bear). Microsoft describes attacks from a Russian threat actor the company tracks as "Storm-2372."
Notably, the attacks involve a lesser-known technique called "device code phishing," in which users are tricked into granting access via the Microsoft Device Code OAuth workflow. Microsoft explains, "In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. This technique could enable persistent access as long as the tokens remain valid, making this attack technique attractive to threat actors."
Volexity says "this method has been more effective at successfully compromising accounts than most other targeted spear-phishing campaigns."
Suspected New IRA members charged for possessing information from PSNI's 2023 data breach.
Two men in Northern Ireland have been charged with terrorism offenses after being found in possession of information leaked in a data breach from the Police Service of Northern Ireland (PSNI), the BBC reports. The two men allegedly had spreadsheets on their phones containing the names of PSNI police officers and staff members. The defendants are charged under the UK's Terrorism Act 2000 for collecting information likely to be of use to terrorists.
The breach occurred in August 2023 when the PSNI mistakenly published personal details belonging to all of its nearly 10,000 officers and staff while complying with a Freedom of Information request. The Register notes that Commissioner Pete O'Doherty of the City of London Police called the incident "the most significant data breach that has ever occurred in the history of UK policing."
Following the breach, Assistant Chief Constable Chris Todd, the PSNI's Senior Information Risk Owner, stated, "Although it was made available as a result of our own error, anyone who did access the information before it was taken down is responsible for what they do with it next. It is important that data anyone has accessed is deleted immediately."
Chinese espionage actor may be moonlighting as ransomware attacker.
Symantec reports that a toolset tied to Chinese espionage actors was recently used in an RA World ransomware attack against an Asian software company. While Chinese state-sponsored actors often share toolsets with each other, these tools aren't usually associated with cybercrime. Symantec says, "The most likely scenario is that an actor, possibly one individual, was attempting to make some money on the side using their employer’s toolkit." The researchers add, "In all the prior intrusions involving the toolset, the attacker appeared to be engaged in classic espionage, seemingly solely interested in maintaining a persistent presence on the targeted organizations by installing backdoors."
