On Friday, Microsoft disclosed that it was the victim of a nation-state assault on its corporate systems, which led to the pilfering of emails and attachments belonging to executives and other personnel in the cybersecurity and legal divisions of the corporation.
The attack was attributed by the creator of Windows to Midnight Blizzard (previously Nobelium), a Russian advanced persistent threat (APT) group that goes under several names, including APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.
It added that as soon as the malicious behavior was discovered on January 12, 2024, it acted to look into, disrupt, and mitigate it. It is projected that the campaign started in late November 2023.
“The threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” Microsoft stated.
According to Redmond, the way the attacks were targeted suggests the threat actors were trying to steal personal data. Moreover, it stressed that there was no proof the adversary gained access to client environments, production systems, source code, or artificial intelligence (AI) systems, and that the attack was not the consequence of any security flaw in its products.
The computer behemoth, however, remained mum on the number of compromised email accounts or the information that was obtained, only stating that it was in the process of informing affected staff members.
The hacking group, which was previously behind the well-known SolarWinds supply chain hack, has targeted Microsoft twice: once in December 2020 for stealing source code linked to Azure, Intune, and Exchange components, and again in June 2021 for using password spraying and brute-force attacks to compromise three of its clients.
The Microsoft Security Response Center (MSRC) stated that “this attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”