Microsoft recently disclosed that a Russian state-sponsored hacking group breached its corporate systems on January 12. The intrusion involved accessing accounts of the company’s leadership team, as well as employees in cybersecurity and legal departments.
Timeline of the Hack:
The hacking campaign initiated in late November and was detected by Microsoft on January 12. The same highly skilled Russian hacking team responsible for the SolarWinds breach was identified as the perpetrator.
Scope of the Breach:
A small percentage of Microsoft corporate accounts were compromised, with the Russian group gaining access to emails and attached documents. Notably, the targeted accounts included those of senior leadership and employees in cybersecurity, legal, and other functions.
Attribution to Russian Group ‘Midnight Blizzard’:
Microsoft’s threat research team attributed the hack to the Russian group known as ‘Midnight Blizzard.’ The hackers utilized a technique called “password spray attack” starting in November 2023, infiltrating Microsoft’s systems by using compromised passwords across multiple related accounts.
Motivation and Target:
Microsoft’s investigation suggested that the initial goal of the hackers was to learn about Microsoft’s knowledge of their operations. The company clarified that the attack was not due to any specific vulnerability in its products or services.
Response and Attribution of ‘Midnight Blizzard’:
Microsoft emphasized the ongoing risk posed by well-resourced nation-state threat actors like ‘Midnight Blizzard.’ The Russian group, also known as APT29, Nobelium, or Cozy Bear, has been linked to Russia’s SVR spy agency and gained notoriety for intrusions into the Democratic National Committee during the 2016 US elections.
Absence of Evidence of Further Compromises:
Microsoft reassured that, to date, there is no evidence that the hackers had access to customer environments, production systems, source code, or AI systems.
Historical Context:
‘Midnight Blizzard’ (Nobelium or Cozy Bear) was previously associated with the 2016 US elections and the SolarWinds hacking campaign. Microsoft products, widely used across the US government, have faced cybersecurity challenges in the past.
Conclusion:
The recent cyber attack highlights the persistent risk posed by sophisticated nation-state threat actors. Microsoft’s ongoing efforts to investigate and address the breach underscore the importance of robust cybersecurity measures in the face of evolving cyber threats.