Microsoft disclosed on Friday that it had fallen prey to a nation-state attack on its corporate systems, resulting in the theft of emails and attachments belonging to senior executives and individuals within the company’s cybersecurity and legal departments.
The attack has been attributed to a Russian advanced persistent threat (APT) group known as Midnight Blizzard (formerly Nobelium), also recognized as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes, according to the tech giant. Microsoft detected the attack on January 12, 2024, and promptly took measures to investigate, disrupt, and mitigate the malicious activity. The campaign is believed to have initiated in late November 2023.
The threat actor employed a password spray attack to compromise a legacy non-production test tenant account, establishing a foothold. Subsequently, the attacker used the account’s permissions to access a small percentage of Microsoft corporate email accounts, including those of senior leadership and employees in cybersecurity, legal, and other functions. The infiltrator exfiltrated some emails and attached documents in the process, Microsoft stated.
Microsoft clarified that the targeting nature suggests the threat actors were specifically seeking information related to themselves. Importantly, the company emphasized that the attack did not exploit any security vulnerabilities in its products, and there is no evidence of the adversary gaining access to customer environments, production systems, source code, or AI systems.
While Microsoft did not disclose the exact number of email accounts infiltrated or the specific information accessed, it assured that affected employees were being notified as part of the ongoing response to the incident.
The hacking group Midnight Blizzard, previously involved in the SolarWinds supply chain compromise, had previously targeted Microsoft in December 2020, aiming to siphon source code related to Azure, Intune, and Exchange components. The group struck again in June 2021, breaching three Microsoft customers through password spraying and brute-force attacks.
The Microsoft Security Response Center (MSRC) emphasized that this incident underscores the persistent risk posed to organizations by well-resourced nation-state threat actors like Midnight Blizzard.
Safeguarding against state-sponsored cyber attacks demands a comprehensive security strategy. Regularly update and patch systems to address vulnerabilities, employ network segmentation to limit lateral movement, and implement robust access controls. Enforce multi-factor authentication for sensitive accounts and conduct regular security audits. Collaborate with threat intelligence providers to stay abreast of evolving attack methodologies and enhance incident response capabilities. Protergo provides RADAR by Protergo as threat intelligence to identify and detect data leakages.
