Microsoft has revealed that Russian state-sponsored hacker group Midnight Blizzard gained access to internal systems and source code repositories during a cyber attack in January.
The tech giant said its security team had detected the attack on 12 January 2024 and triggered its response process to prevent any further access into its systems and mitigate potential damage.
Identified as Midnight Blizzard, the group are believed to have used a password spray attack to compromise a legacy non-production test tenant account and gain initial access.
From here, the attackers were able to access a small percentage of Microsoft corporate email accounts , including its senior leadership team and staff in its security, legal, and other functions, according to an update published on 19 January.
The update added that the attack was not the result of a vulnerability in Microsoft products or services.
In its latest update, released on 8 March 2024, Microsoft said it has seen evidence that the group is using information exfiltrated from its corporate email systems to try and get unauthorized access to both Microsoft and customer networks.
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found," the company said in a blog post. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
The company described the attack as characterized by a sustained, significant commitment of the group’s resources, coordination, and focus. It speculated the threat actors may be using the information to build a better picture with which they plan future attacks or enhance its offensive capabilities.
Microsoft also noted Midnight Blizzard has ramped up the volume of certain aspects of the attack, such as password sprays, by roughly a factor of ten in February, compared to the levels observed in January.
Who are Midnight Blizzard?
Midnight Blizzard, also known as Nobelium, APT29, and Cozy Bear, are understood to be a Russian state-sponsored threat actor group, with close links to the country's Foreign Intelligence Service (SVR).
The group initially rose to prominence in 2013 after the first samples of the MiniDuke malware began circulating the dark web, according to analysis by Kaspersky Labs.
Since then the group has been responsible for a number of cyber attacks, notably targeting predominantly NATO member states.
RELATED WHITEPAPER
In 2015, Midnight Blizzard gained access to networks at the Pentagon via a spear phishing attack on its email servers, leading to a total shutdown of the Joint Staff unclassified email stem, as well as internet access in the building.
The following year the group were also able to compromise the servers of the Democratic National Convention (DNC) within months of the 2016 US election.
Since then both the Norwegian and Dutch governments have been affected by attacks from the collective, and forced the Dutch general election in 2017 to revert to hand counting to avoid potential tampering concerns.
In addition to the January attack on Microsoft, the group also gained unauthorized access to HPE’s cloud-hosted email environment. Midnight Blizzard was able to access several SharePoint files on the HPE system, according to the company’s SEC filing.
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
Microsoft patched a critical vulnerability in its NLWeb AI search tool – but there's no CVE (yet)News Researchers found an unauthenticated path traversal bug in the tool debuted at Microsoft Build in May
-
NCSC says ‘limited number’ of UK firms affected by SharePoint attack as global impact spreadsNews The SharePoint flaw has already had a wide impact according to reports from government security agencies
