On Friday, Microsoft disclosed that it fell victim to a nation-state attack on its corporate systems, resulting in the theft of emails and attachments from senior executives and individuals in the company’s cybersecurity and legal departments.
Russian APT Claim Responsibility
Researchers pointed out that a Russian advanced persistent threat (APT) group, Midnight Blizzard (formerly Nobelium), aka. APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes carried out the attack.
Microsoft promptly initiated an investigation, disruption, and mitigation efforts upon discovering the attack on January 12, 2024. There were reasons to believe that the campaign started in late November 2023.
The attackers utilized a password spray attack to compromise a legacy non-production test tenant account, gaining initial access. Subsequently, they used the account’s permissions to access a small percentage of Microsoft corporate email accounts, including those of senior leadership and employees in cybersecurity, legal, and other functions. Some emails and attached documents were exfiltrated during the breach.
Microsoft Clarifies
Microsoft clarified that the targeting suggested the threat actors sought information related to themselves. Importantly, the company stressed that the attack did not exploit any security vulnerability in its products, and there is no evidence indicating access to customer environments, production systems, source code, or AI systems.
Although the tech giant did not disclose the number of infiltrated email accounts or the specific information accessed, it is in the process of notifying affected employees.
Midnight Blizzard, previously involved in the SolarWinds supply chain compromise, had previously targeted the firm, stealing source code related to Azure, Intune, and Exchange components in December 2020. In June 2021, the group breached three Microsoft customers through password spraying and brute-force attacks.
Moreover, the Microsoft Security Response Center (MSRC) underscored that this incident highlights the ongoing risk posed by well-resourced nation-state threat actors like Midnight Blizzard.
In other news, security researchers discovered hackers utilizing a recently addressed security vulnerability in Microsoft Windows to deploy an open-source information stealer called Phemedrone Stealer.
