Microsoft hack: Five questions enterprises should ask their IT leaders

Software giant Microsoft revealed in mid-January 2024 that its systems were successfully infiltrated at the end of 2023 by Russia-backed hacking group Midnight Blizzard, as part of a coordinated and targeted information-gathering exercise.

Microsoft confirmed the details of the attack in a statement published online on Friday 19 January 2024,  where it revealed the attack was first detected on 12 January 2024 and the immediate activation of its internal response processes meant it was able to immediately remove the hackers from its systems.

“To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI [artificial intelligence] systems,” said Microsoft in its statement.

“We will notify customers if any action is required. This attack does highlight the continued risk posed to all organisations from well-resourced nation-state threat actors like Midnight Blizzard.”

And while Microsoft made it clear in its statement that no customer data or services were put at risk during the attack, Microsoft did publish a broader warning in its Security Threat Intelligence Blog on 25 January 2024  that stated its investigation into the hack is still on-going and further details about the impact of the attack may still come to light.

As a result, here are five questions enterprise users of Microsoft’s cloud services should be asking of their CIO, CTO and CISO in the wake of this attack.

1. Microsoft presents itself as being an intrinsically secure platform – is that still the case?

This is a key question because a company’s risk profile should be under continuous, ongoing re-assessment in any event, and the flurry of recent Microsoft hacks ought to be on their risk radar.

It is not clear how (or even if) Microsoft will be able to 100% guarantee its entire cloud environment is now clean and free from hackers, and they’ve reported being attacked successfully multiple times by Chinese and Russia-backed hacking groups.

2. Are we relying on the same security controls as Microsoft do?

Microsoft disclosed the Midnight Blizzard hackers were inside its systems for up to 42 days before they were found –and this is despite them having unmatched global security resources and artificial intelligence-enabled security co-pilot technologies to monitor it.

Microsoft’s detailed release on the breach suggests the company only found the hack through examination of Exchange logs, and not via these next-gen security tools.

Those tools have been pushed out aggressively, and adopted at pace by most Microsoft customers over the past six months, but in this real-world test of the company’s security tech, it is fair to say they have possibly failed.

Companies need to understand how reliant they are on Microsoft’s security capabilities in case they need to toughen up their defenses.

3. How confident can a company be that they have not also suffered from this attack?

Microsoft said there is no evidence of compromise to any customer, but when a nation-state hacker has six weeks to freely roam through an IT infrastructure, it is unlikely they have limit themselves.

In the Microsoft security threat intelligence blog, the company advised “governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the US and Europe” to be aware of the attacks and how to identify if they had been similarly compromised.

This may well indicate that Microsoft believes the attacks have extended beyond its own corporate environment.

4. If we had to disconnect from Microsoft what would it mean for our business operations?

Microsoft cloud platforms, Azure and Microsoft 365,  are global and not regionally segmented. As such they do not necessarily have the ‘firebreaks’ or watertight doors to separate off the effects of an attacker.

When organisations connect to the Microsoft cloud they often do so in a network peering approach, expanding their network addressing and directory services into the cloud as an extension of their corporate network.

This means even a temporary suspension of Microsoft’s cloud services could have a serious effect on business operations. Understanding how committed the business is to continued connectivity to Microsoft is an important part of managing a company’s total risk and exposure.

5. Given the above, what is our actual level of exposure?

This depends an awful lot on what a business is using the Microsoft cloud for, as well as how high profile that use may be and the nature of the organisation concerned.

Many companies struggle to understand how valuable core internal information such as user identities are to a business, and you also need to consider intellectual property rights (IPR) and any data the organisation may have a regulated responsibility for.

Finally, be aware any security issue involving Microsoft is by default global news, so that must be factored into any users’ reputational risk assessments too.