Microsoft has revealed that Russian state-sponsored hacker group Midnight Blizzard gained access to internal systems and source code repositories during a cyber attack in January.
The tech giant said its security team had detected the attack on 12 January 2024 and triggered its response process to prevent any further access into its systems and mitigate potential damage.
Identified as Midnight Blizzard, the group are believed to have used a password spray attack to compromise a legacy non-production test tenant account and gain initial access.
From here, the attackers were able to access a small percentage of Microsoft corporate email accounts , including its senior leadership team and staff in its security, legal, and other functions, according to an update published on 19 January.
The update added that the attack was not the result of a vulnerability in Microsoft products or services.
In its latest update, released on 8 March 2024, Microsoft said it has seen evidence that the group is using information exfiltrated from its corporate email systems to try and get unauthorized access to both Microsoft and customer networks.
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found," the company said in a blog post. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
The company described the attack as characterized by a sustained, significant commitment of the group’s resources, coordination, and focus. It speculated the threat actors may be using the information to build a better picture with which they plan future attacks or enhance its offensive capabilities.
Microsoft also noted Midnight Blizzard has ramped up the volume of certain aspects of the attack, such as password sprays, by roughly a factor of ten in February, compared to the levels observed in January.
Who are Midnight Blizzard?
Midnight Blizzard, also known as Nobelium, APT29, and Cozy Bear, are understood to be a Russian state-sponsored threat actor group, with close links to the country's Foreign Intelligence Service (SVR).
The group initially rose to prominence in 2013 after the first samples of the MiniDuke malware began circulating the dark web, according to analysis by Kaspersky Labs.
Since then the group has been responsible for a number of cyber attacks, notably targeting predominantly NATO member states.
RELATED WHITEPAPER
In 2015, Midnight Blizzard gained access to networks at the Pentagon via a spear phishing attack on its email servers, leading to a total shutdown of the Joint Staff unclassified email stem, as well as internet access in the building.
The following year the group were also able to compromise the servers of the Democratic National Convention (DNC) within months of the 2016 US election.
Since then both the Norwegian and Dutch governments have been affected by attacks from the collective, and forced the Dutch general election in 2017 to revert to hand counting to avoid potential tampering concerns.
In addition to the January attack on Microsoft, the group also gained unauthorized access to HPE’s cloud-hosted email environment. Midnight Blizzard was able to access several SharePoint files on the HPE system, according to the company’s SEC filing.
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
‘We’ve got some fabulous conditions’: Salesforce UK chief exec Zahra Bahrololoumi touts the country's tech industry potentialNews The UK remains a “priority market” for Salesforce, according to its regional CEO
-
Confused at all the threat group names? You’re not alone. CrowdStrike and Microsoft want to change thatNews CrowdStrike and Microsoft hope to "bring clarity and coordination" to the cyber industry by unifying threat group naming conventions.
-
A flaw in OneDrive’s File Picker feature could give access to hundreds of appsNews The OneDrive File Picker flaw could affect hundreds of apps, researchers warn
-
Microsoft ramps up zero trust capabilities amid agentic AI pushNews The move from Microsoft looks to bolster agent security and prevent misuse
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFANews Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
