A Russian government-backed hacking team successfully hacked into Microsoft’s corporate network and stole emails and attachments from senior executives and targets in the cybersecurity and legal departments, the company disclosed late Friday.
The Redmond, Wash. software giant said the APT group, known as Midnight Blizzard/Nobelium, used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts.
“[They] exfiltrated some emails and attached documents,” Microsoft said in a filing with the Securities and Exchange Commission (SEC).
The company said its security team detected the nation-state attack on its corporate systems on January 12, 2024 and traced the infection back to November 2023.
The company said members of its senior leadership team were among the victims and noted that the hackers were initially targeting email accounts for information related to Redmond’s own knowledge of the APT operation.
“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required,” the world’s largest software maker said.
“We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes,” Microsoft said, noting the changes will “likely cause some level of disruption while we adapt to this new reality.”
“We are continuing our investigation and will take additional actions based on the outcomes of this investigation and will continue working with law enforcement and appropriate regulators,” Microsoft added.
The discovery of Russian hackers in Microsoft’s network comes less than six months after Chinese cyberspies were caught forging authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes.
The hack, which led to the theft of email data from approximately 25 government organizations in the United States, is currently being investigated by the CISA Cyber Security Review Board (CSRB).
Midnight Blizzard/Nobelium (AKA APT29 and Cozy Bear by others) is the same group that was attributed to hacking IT management solutions provider SolarWinds in a massive supply chain attack in 2020.