Microsoft revealed on Friday that a Kremlin-backed threat actor called midnight snowstorm (also known as APT29 or Cozy Bear) successfully gained access to part of its source code repository and internal systems after a hacking attack exposed in January 2024.
“In recent weeks, we have seen evidence that Midnight Blizzard is using information originally leaked from our company email systems to gain or attempt to gain unauthorized access,” the tech giant said.
“This includes access to some of the company’s source code repositories and internal systems. To date, we have found no evidence that customer-facing systems hosted by Microsoft have been compromised.”
Redmond is continuing to investigate the extent of the leak, and the company says Russian state-sponsored threat actors are trying to exploit different types of secrets it discovered, including those shared in emails between customers and Microsoft.
However, it did not reveal what those secrets were or the scale of the compromise, although it said it had contacted affected customers directly. It’s unclear what source code was accessed.
Microsoft said it has increased its security investments and further noted that the number of password spray attacks by adversaries in February increased by as much as 10 times compared to the “already significant volumes” observed in January.
“Midnight Blizzard’s ongoing attacks are characterized by a sustained and significant investment of resources, coordination and focus by threat actors,” the statement read.
“It may use the information it acquires to build up its picture of the attack area and enhance its attack capabilities. This reflects the wider unprecedented global threat landscape, particularly with regard to sophisticated nation-state attacks.”
The Microsoft breach is said to have occurred in November 2023, when Midnight Blizzard used a password spray attack to successfully penetrate old non-production test tenant accounts that did not have multi-factor authentication (MFA) enabled.
The tech giant revealed in late January that APT29 targets other organizations by leveraging a variety of initial access methods, from stolen credentials to supply chain attacks.
Midnight Blizzard is believed to be part of Russia’s Foreign Intelligence Service (SVR). This threat actor has been active since at least 2008 and is one of the most prolific and sophisticated hacking groups and has compromised high-profile targets such as SolarWinds.
