Microsoft warned Friday night that some of its corporate email accounts were breached and data stolen by a Russian state-sponsored hacking group known as Midnight Blizzard.
The company detected the attack on January 12th, with Microsoft’s investigation ultimately determining that the attack was conducted by Russian threat actors known more commonly as Nobelium or APT29.
Microsoft says the threat actors breached their systems in November 2023 when they conducted a password spray attack to access a legacy non-production test tenant account.
A password spray is a type of brute force attack where threat actors collect a list of potential login names and then attempt to log in to all of them using a particular password. If that password fails, they repeat this process with other passwords until they run out or successfully breach the account.
The fact that the hackers were able to gain access to the account using a brute force attack indicates it was not protected with two-factor authentication (2FA) or multi-factor authentication (MFA), a security practice that Microsoft recommends on all types of online accounts.
Once the hackers gained access to the “test” account, Microsoft says the Nobelium hackers used it to access a “small percentage” of Microsoft’s corporate email accounts for over a month.
Unless the threat actors used this test account to breach systems and pivot to accounts with higher permissions, it is unclear why a non-production test account would have the permissions to access other accounts in Microsoft’s corporate email system.
Microsoft says the breached email accounts included members of Microsoft’s leadership team and employees in the cybersecurity and legal departments, from which the hackers stole emails and attachments.
“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” the Microsoft Security Response Center shared in a report on the incident.
“We are in the process of notifying employees whose email was accessed.”
Microsoft reiterates that this breach was not caused by a vulnerability in their products and services but rather by a brute force password attack on their accounts.
However, based on the limited information shared by Microsoft, it appears that a big part of the breach was caused by the poorly secured configuration of the breached account.
While Microsoft is still investigating the breach, they said they will share additional details as appropriate.
In a Form 8-K filing with the SEC, Microsoft says that the breach has not had a material impact on the company’s operations.
Who is Nobelium
Nobelium (aka Midnight Blizzard, APT29, and Cozy Bear) is a Russian state-sponsored hacking group believed to be part of Russia’s Foreign Intelligence Service (SVR), which has been linked to numerous attacks over the years.
Microsoft later confirmed that the SolarWinds attack allowed the hackers to steal source code for a limited number of Azure, Intune, and Exchange components.
In June 2021, the hacking group once again breached a Microsoft corporate account, allowing them to access customer support tools.
Microsoft has always been a highly prized target as it controls so much of the data and services used by governments and enterprises worldwide.
More recently, Microsoft was targeted by Chinese hackers who stole a Microsoft signing key that allowed them to access the email accounts of two dozen organizations, including U.S. and Western European government agencies.