Microsoft has disclosed that Russian government hackers, identified as the group Midnight Blizzard, have successfully infiltrated its corporate email systems and stolen source codes.
The tech giant recently discovered unauthorized access attempts that were made using information obtained from a previous hack that took place last year. This ongoing cyberattack highlights the continuous threat caused by nation-state actors and raises serious concerns regarding the security of crucial technological infrastructure.
Microsoft’s announcement on March 8, 2024, detailed that Midnight Blizzard, also known as APT29 or Cozy Bear, utilized information initially exfiltrated from the company’s corporate email systems to gain unauthorized access to its internal systems, including source code repositories.
This breach is part of a series of intrusions that began in November of the previous year, targeting the corporate email accounts of senior leadership and employees across various departments, including cybersecurity and legal functions.
The hackers seem to have multiple objectives, including stealing valuable source codes and gathering intelligence on Microsoft’s knowledge about their operations.
The breach has prompted Microsoft to file a report with the U.S. Securities and Exchange Commission, highlighting the severity of the situation and the potential implications for the company’s security posture and reputation.
Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers
Malware analysis can be fast and simple. Just let us show you the way to:
- Interact with malware safely
- Set up virtual machine in Linux and all Windows OS versions
- Work in a team
- Get detailed reports with maximum data If you want to test all these features now with completely free access to the sandbox:
Midnight Blizzard’s Tactics
Midnight Blizzard gained access to Microsoft’s systems through a sophisticated cyberattack that began in late November 2023.
The group used a password spray attack to compromise a legacy non-production test tenant account within Microsoft’s environment.
This type of attack involves trying common passwords against many accounts to avoid triggering account lockouts.
Once they had a foothold, they used the account’s permissions to access a small percentage of Microsoft corporate email accounts, including those of senior leadership and employees in cybersecurity, legal, and other functions.
The attackers exfiltrated emails and attached documents from these accounts. The investigation suggests that Midnight Blizzard was initially targeting email accounts for information related to their own operations, likely as a counterintelligence effort to understand what Microsoft knew about them.
After the initial breach, Midnight Blizzard used the information they had exfiltrated to attempt further unauthorized access to Microsoft’s internal systems, including source code repositories.
Microsoft detected an increase in password spray attacks by up to tenfold in February 2024 compared to the volume seen in January, indicating a significant escalation in the group’s activities.
Microsoft has stated that there is no evidence that customer-facing systems have been compromised.
“The threat actor’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. Our active investigations of the threat actor’s activities are ongoing, findings of our investigations will continue to evolve, and further unauthorized access may occur,” Microsoft said.
Microsoft has ramped up its security investments and cross-enterprise coordination to defend against these sophisticated threats.
The company has implemented enhanced security controls, detections, and monitoring to secure and harden its environment against Midnight Blizzard’s activities.
Microsoft’s proactive measures also involve reaching out to customers potentially affected by the breach to assist them in taking mitigating measures.
Microsoft’s commitment to transparency and sharing findings from its investigations reflects its dedication to addressing the cybersecurity challenges posed by nation-state actors.
The breach of Microsoft’s corporate email systems and the theft of source codes by Russian spies represents a significant cybersecurity event with far-reaching implications.
Midnight Blizzard’s tactics highlight the sophisticated and resource-intensive nature of nation-state cyber espionage efforts.
History of Midnight Blizzard APT Group
Midnight Blizzard is a Russian state-sponsored cyber espionage group known by names such as APT29, Nobelium, Cozy Bear, and several others. It has been active for many years, engaging in sophisticated cyber operations to collect intelligence to support Russian foreign policy interests.
Notable Cyber Attacks by Midnight Blizzard
SolarWinds Supply Chain Attack (2020): One of the most significant and sophisticated cyber espionage campaigns attributed to Midnight Blizzard was the SolarWinds attack. This operation compromised the software supply chain of SolarWinds, a company that provides network monitoring and other IT services. The attack led to the breach of more than 18,000 customer organizations, including several US government agencies and private sector companies.
Democratic National Committee Hack: Midnight Blizzard, along with another Russian APT group (APT28), was involved in the cyber attacks against the Democratic National Committee (DNC) during the 2016 US Presidential Elections. These operations aimed to interfere with the election process and collect intelligence.
Hewlett Packard Enterprise (HPE) Breach: In December 2023, HPE disclosed that Midnight Blizzard had gained unauthorized access to its Microsoft Office 365 email system since May 2023. The attackers targeted mailboxes belonging to individuals in HPE’s cybersecurity, go-to-market, business segments, and other functions, exfiltrating sensitive data.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.