Microsoft warned Friday night that some of its corporate email accounts were breached and data stolen by a Russian state-sponsored hacking group known as Midnight Blizzard.
The company detected the attack on January 12th, with Microsoft's investigation ultimately determining that the attack was conducted by Russian threat actors known more commonly as Nobelium or APT29.
Microsoft says the threat actors breached their systems in November 2023 when they conducted a password spray attack to access a legacy non-production test tenant account.
A password spray is a type of brute force attack where threat actors collect a list of potential login names and then attempt to log in to all of them using a particular password. If that password fails, they repeat this process with other passwords until they run out or successfully breach the account.
The fact that the hackers were able to gain access to the account using a brute force attack indicates it was not protected with two-factor authentication (2FA) or multi-factor authentication (MFA), a security practice that Microsoft recommends on all types of online accounts.
Once the hackers gained access to the "test" account, Microsoft says the Nobelium hackers used it to access a "small percentage" of Microsoft's corporate email accounts for over a month.
Unless the threat actors used this test account to breach systems and pivot to accounts with higher permissions, it is unclear why a non-production test account would have the permissions to access other accounts in Microsoft's corporate email system.
Microsoft says the breached email accounts included members of Microsoft's leadership team and employees in the cybersecurity and legal departments, from which the hackers stole emails and attachments.
"The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself," the Microsoft Security Response Center shared in a report on the incident.
"We are in the process of notifying employees whose email was accessed."
Microsoft reiterates that this breach was not caused by a vulnerability in their products and services but rather by a brute force password attack on their accounts.
However, based on the limited information shared by Microsoft, it appears that a big part of the breach was caused by the poorly secured configuration of the breached account.
While Microsoft is still investigating the breach, they said they will share additional details as appropriate.
In a Form 8-K filing with the SEC, Microsoft says that the breach has not had a material impact on the company's operations.
Who is Nobelium
Nobelium (aka Midnight Blizzard, APT29, and Cozy Bear) is a Russian state-sponsored hacking group believed to be part of Russia's Foreign Intelligence Service (SVR), which has been linked to numerous attacks over the years.
The hackers rose to notoriety when the U.S. government linked them to the 2020 SolarWinds supply chain attack, which also impacted Microsoft at the time.
Microsoft later confirmed that the SolarWinds attack allowed the hackers to steal source code for a limited number of Azure, Intune, and Exchange components.
In June 2021, the hacking group once again breached a Microsoft corporate account, allowing them to access customer support tools.
In addition to conducting cyberespionage and data theft attacks, Nobelium is also known for developing custom malware to use in their attacks.
Microsoft has always been a highly prized target as it controls so much of the data and services used by governments and enterprises worldwide.
More recently, Microsoft was targeted by Chinese hackers who stole a Microsoft signing key that allowed them to access the email accounts of two dozen organizations, including U.S. and Western European government agencies.
Comments
h_b_s - 5 months ago
It's clear to me Microsoft is no better at securing their own networks and systems than anyone else, given the same access to documentation and expertise. That being the case it becomes clearly evident that forcing people off on-prem services isn't about security. It's about Microsoft monetizing data and artificially inflating their Azure cloud numbers.
jbcs - 5 months ago
What exactly do thet mean by a tenants account? How could a tenant even access Microsofts network at all? How many of their other tenants have security issues?
AutomaticJack - 5 months ago
"What exactly do thet mean by a tenants account? How could a tenant even access Microsofts network at all? How many of their other tenants have security issues?"
1. It was one of their own tenant accounts.
2. Who knows. Like we say nothings is 100% secure - its just a matter of time and $ for someone to get in. But some IT ops are bigger trashfires than others - the trick is to find out which and steer clear.
- sounds like the actors wanted in to see the file ms had on them.
jbcs - 5 months ago
So its not a tenant's test account, its a test tenant acccount?
AutomaticJack - 5 months ago
"So its not a tenant's test account, its a test tenant acccount?"
correct