Over the weekend, Microsoft announced that its systems were breached by the Kremlin-backed hackers, Midnight Blizzard, at the end of 2023. This is the same group that infamously compromised the SolarWinds Orion platform in the Sunburst/Solorigate incident three years prior. The breach appears to have been a targeted exercise to gather information.
Microsoft detected the attack on January 12 and immediately activated its incident response processes to disrupt and remove the hackers from their systems. Through investigations, it was discovered that Midnight Blizzard gained access to a non-production test account using a password spraying attack. This attack method involves cycling through numerous potential usernames and credentials until a match is found. Once inside, the hackers used the account’s elevated permissions to target corporate email accounts of senior leadership, cyber security professionals, and legal personnel at Microsoft. Some emails and documents were stolen.
Microsoft clarified that the hackers were initially targeting email accounts related to Midnight Blizzard. The company is currently in the process of informing employees whose email accounts were accessed.
Midnight Blizzard, also known as Nobelium, APT29, UNC2452, and Cozy Bear, is one of the most active advanced persistent threat (APT) operations conducted by the Russian state.
Microsoft emphasized that the attack did not exploit any vulnerabilities in its products or services. As of now, there is no evidence that the hackers had access to customer environments, production systems, source code, or AI systems. Microsoft will notify customers if any action is required. The incident highlights the ongoing risk posed by well-resourced nation-state threat actors like Midnight Blizzard.
Microsoft acknowledged the need to strike a better internal balance between security and risk and pledged to apply stricter standards to itself. The company is committed to sharing more information and learnings from the incident.
Tyler Farrar, Chief Information Security Officer at Exabeam, commented on the incident, emphasizing the evolving complexities in cybersecurity. He highlighted the importance of addressing latent security vulnerabilities within organizations and the need for a proactive security operations approach.
Given Microsoft’s prominence, it is not surprising to see it targeted by nation states seeking to steal its own data and intellectual property, as well as that of its extensive customer base. This incident is not the first of its kind for the tech giant, as it previously faced scrutiny for a breach involving a Chinese group accessing federal email accounts using forged authentication tokens.