Full Report
Volexity highlighted how Russian nation-state actors are stealing Microsoft device authentication codes to compromise accounts
Analysis Summary
# Threat Actor: Unspecified Russian Nation-State Actors
## Attribution & Identity
Attributed to: Multiple Russian nation-state actors.
Known Aliases: Not specified in the summary.
## Activity Summary
These actors are currently engaged in campaigns starting around late January and February 2025, focused on compromising sensitive Microsoft 365 accounts. The primary method involves stealing device authentication codes through highly targeted social engineering (phishing).
## Tactics, Techniques & Procedures
- **Social Engineering:** Impersonating individuals from government departments and prominent research institutions to trick victims.
- **Device Code Authentication Phishing:** Stealing device authentication codes to maintain long-term access to compromised accounts.
- **Victim Invitation:** Using platforms like Signal and Element for initial communication/social engineering phase.
## Targeting
- **Sectors:** Government, Research Institutions.
- **Geography:** Not explicitly stated, but inferred targeting of US and European entities (US Department of State, European Parliament).
- **Victims:** Government officials and personnel at research institutions.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named. The primary "tool" is the device code phishing scheme exploiting Microsoft 365 authentication flows.
- **Infrastructure (C2, domains, IPs):** No specific URLs or IPs were detailed in the summary, though phishing invitations were sent.
## Implications
The use of device code phishing bypasses traditional MFA factors by stealing the single-use authentication code, granting persistent access to critical accounts within sensitive governmental and research organizations. This suggests a focus on espionage or intelligence gathering targeting official communications and proprietary research.
## Mitigations
- Implementation of conditional access policies (specific mitigation details were not provided in the summary content).
- Increased vigilance against unsolicited communications via platforms like Signal/Element requesting authentication codes, especially when impersonating known entities.