Lubos Chlubny - stock.adobe.com
Microsoft has revealed over the weekend that its systems were infiltrated at the end of 2023 by Midnight Blizzard, the same Kremlin-backed hackers who compromised the SolarWinds Orion platform in the infamous Sunburst/Solorigate incident almost exactly three years previously, in what appears to have been a coordinated and targeted information-gathering exercise.
In an announcement posted late on Friday 19 January 2024, Microsoft said it detected the attack on 12 January and was immediately able to activate its internal incident response processes to disrupt it and throw the hackers out of their systems.
In the past couple of weeks, its investigations have found that Midnight Blizzard accessed a legacy non-production test tenant account via a password spraying attack – a type of brute force method whereby threat actors cycle a vast number of potential usernames and credentials through the target system until they get lucky and find a match.
From there, the attackers used the account’s elevated permissions to target Microsoft corporate email accounts belonging to senior leadership and employees in the cyber security and legal functions. Some emails and documents were taken.
“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” said Microsoft in a statement. “We are in the process of notifying employees whose email was accessed.”
Midnight Blizzard is one of the most active advanced persistent threat (APT) operations run by the Russian state. It previously went by the moniker Nobelium prior to a reshuffle of Microsoft’s threat taxonomy, but other researchers have given it the names APT29, UNC2452 and, arguably most famously, Cozy Bear.
“The attack was not the result of a vulnerability in Microsoft products or services,” the firm said. “To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI [artificial intelligence] systems. We will notify customers if any action is required. This attack does highlight the continued risk posed to all organisations from well-resourced nation-state threat actors like Midnight Blizzard.”
Read more about Cozy Bear
- The Russian hackers behind the SolarWinds attacks are the latest nation-state group to exploit a critical TeamCity vulnerability to gain initial access to victims' servers.
- Microsoft shares intelligence on a newly observed Cozy Bear campaign that saw the APT take over genuine Microsoft 365 tenants and subvert them to try to phish its victims.
- A recent Cozy Bear campaign saw the Russian APT group pivot to exploiting an advert for a used car as it targeted diplomatic missions in Kyiv.
Microsoft said the incident highlights the need to move even faster on striking a better internal balance between security and risk to its business, and vowed to push on with applying stricter standards to itself, even when doing so might be problematic for some processes.
“We are continuing our investigation and will take additional actions based on the outcomes of this investigation, and will continue working with law enforcement and appropriate regulators,” said Microsoft. “We are deeply committed to sharing more information and our learnings, so that the community can benefit from both our experience and observations about the threat actor. We will provide additional details as appropriate.”
Exabeam chief information security officer Tyler Farrar said the incident underscored the evolving complexities inherent to cyber security. “The attackers capitalised on the path of least resistance, exploiting a legacy, non-production account, underscoring the often-overlooked concept of latent security vulnerabilities within organisations,” he said. “The subtlety of such vulnerabilities demands a vigilant … approach to security operations.”
“Microsoft’s response to the breach, aligned with the latest SEC disclosure regulations, emphasises the importance of transparency and swift action in cyber security incidents,” he said. “It also highlights the necessity for organisations to continuously scan their digital infrastructure for any potential ‘Threat Debt’ – a term that encapsulates the risks associated with unaddressed, dormant vulnerabilities.”
As a highly visible actor itself, it should come as little surprise to see Microsoft targeted by nation states looking to steal its own data and intellectual property, and that of its vast customer base. Indeed, this is far from the first such incident of its type to befall the tech giant.
Last summer, Redmond faced questions from US government officials after disclosing that a Chinese group known as Storm-0558 was able to access federal email accounts using forged authentication tokens via a stolen Microsoft account consumer signing key.