Pierluigi Paganini
January 20, 2024
Microsoft warned that some of its corporate email accounts were compromised by a Russia-linked cyberespionage group known as Midnight Blizzard. Microsoft notified law enforcement and relevant regulatory authorities.
The Midnight Blizzard group (aka APT29, SVR group, Cozy Bear, Nobelium, BlueBravo, and The Dukes) along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections. The group is known for the SolarWinds supply chain attack that in 2020 hit more that 18,000 customer organizations, including Microsoft.
Microsoft discovered the intrusion on January 12, 2024, and immediately launched an investigation into the security breach. The IT giant confirmed to have locked out the threat actors and mitigated the attack.
“On January 12, 2024, Microsoft (the “Company” or “we”) detected that beginning in late November 2023, a nation-state associated threat actor had gained access to and exfiltrated information from a very small percentage of employee email accounts including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, on the basis of preliminary analysis.” reads a Form 8-K filing with the SEC. “We are examining the information accessed to determine the impact of the incident. We also continue to investigate the extent of the incident.”
The company attributed the attack to the Russian cyberespionage group Midnight Blizzard.
The state-sponsored hackers first compromised the company systems in late November 2023 with a password spray attack. Password spraying is a type of brute force attack where the attackers carry out brute force logins based on a list of usernames with default passwords on the application. In this attack scenario, threat actors use one password against many different accounts on the application to avoid account lockouts that would normally trigger when brute forcing a single account with many passwords.
Microsoft revealed that the threat actors gained access to a legacy non-production test tenant account and used the account’s permissions to access a very small percentage of Microsoft corporate email accounts. The attackers gained access to the accounts of members of the company’s senior leadership team and employees in cybersecurity, legal, and other functions. The company also confirmed that attackers have exfiltrated some emails and attached documents. The APT group initially targeted email accounts to gather intelligence on investigations conducted by Microsoft on Midnight Blizzard’s activities. Microsoft is notifying impacted employees.
The company pointed out that the attackers did not exploit any vulnerability in Microsoft products or services. Microsoft also added that there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.
“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.” wrote Microsoft. “This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”
According to the Form 8-K, the incident has not had a material impact on the Company’s operations.
“The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” reads the document.
The lesson from the incident is that the compromised accounts were not adequately protected against brute force attacks. Effective techniques to mitigate brute-force attacks include enabling Multi-factor Authentication (MFA), using strong passwords, utilizing CAPTCHAs, IP rate limiting, implementing account lockout, log monitoring.
Italian readers can listen to my podcast on the importance of enabling 2FA to protect our accounts.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft)
