Microsoft revealed on Friday that it was the target of a nation-state attack on its enterprise systems, resulting in the theft of emails and accessories from senior executives and others in the company’s cybersecurity and legal departments.
The Windows maker attributed the attack to the Russian advanced persistent threat (APT) group it tracks, Midnight Blizzard (formerly Nobelium), which is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear and The Dukes.
It also said that upon discovering the malicious activity on January 12, 2024, it took immediate steps to investigate, disrupt and mitigate the malicious activity. The event is expected to begin in late November 2023.
“Threat actors used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, then used the account’s permissions to gain access to a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and our employees in cybersecurity, legal and other functions and stole some emails and attachments,” Microsoft said.
Redmond said the nature of the targets showed the threat actors were seeking information about themselves. It also emphasized that the attack was not caused by any security vulnerability in its products and that there was no evidence that the adversary had access to customer environments, production systems, source code or artificial intelligence systems.
However, the computing giant did not disclose how many email accounts were compromised and what information was accessed, but said it was a process for notifying employees affected by the incident.
The hacker group, which was previously responsible for the high-profile SolarWinds supply chain breach, has named Microsoft twice, once in December 2020, in order to steal source code related to Azure, Intune and Exchange components. The second time destroyed three of its components. In June 2021, attacks were launched against customers via password spraying and brute force attacks.
“This attack really highlights the ongoing risk that well-resourced nation-state threat actors like Midnight Blizzard pose to all organizations,” the Microsoft Security Response Center (MSRC) said.
