Microsoft has revealed that Russian state-sponsored hacker group Midnight Blizzard gained access to internal systems and source code repositories during a cyber attack in January.
The tech giant said its security team had detected the attack on 12 January 2024 and triggered its response process to prevent any further access into its systems and mitigate potential damage.
Identified as Midnight Blizzard, the group are believed to have used a password spray attack to compromise a legacy non-production test tenant account and gain initial access.
From here, the attackers were able to access a small percentage of Microsoft corporate email accounts , including its senior leadership team and staff in its security, legal, and other functions, according to an update published on 19 January.
The update added that the attack was not the result of a vulnerability in Microsoft products or services.
In its latest update, released on 8 March 2024, Microsoft said it has seen evidence that the group is using information exfiltrated from its corporate email systems to try and get unauthorized access to both Microsoft and customer networks.
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found," the company said in a blog post. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
The company described the attack as characterized by a sustained, significant commitment of the group’s resources, coordination, and focus. It speculated the threat actors may be using the information to build a better picture with which they plan future attacks or enhance its offensive capabilities.
Microsoft also noted Midnight Blizzard has ramped up the volume of certain aspects of the attack, such as password sprays, by roughly a factor of ten in February, compared to the levels observed in January.
Who are Midnight Blizzard?
Midnight Blizzard, also known as Nobelium, APT29, and Cozy Bear, are understood to be a Russian state-sponsored threat actor group, with close links to the country's Foreign Intelligence Service (SVR).
The group initially rose to prominence in 2013 after the first samples of the MiniDuke malware began circulating the dark web, according to analysis by Kaspersky Labs.
Since then the group has been responsible for a number of cyber attacks, notably targeting predominantly NATO member states.
RELATED WHITEPAPER
In 2015, Midnight Blizzard gained access to networks at the Pentagon via a spear phishing attack on its email servers, leading to a total shutdown of the Joint Staff unclassified email stem, as well as internet access in the building.
The following year the group were also able to compromise the servers of the Democratic National Convention (DNC) within months of the 2016 US election.
Since then both the Norwegian and Dutch governments have been affected by attacks from the collective, and forced the Dutch general election in 2017 to revert to hand counting to avoid potential tampering concerns.
In addition to the January attack on Microsoft, the group also gained unauthorized access to HPE’s cloud-hosted email environment. Midnight Blizzard was able to access several SharePoint files on the HPE system, according to the company’s SEC filing.
-
Why are many men in tech blind to the gender divide?In-depth From bias to better recognition, male allies in tech must challenge the status quo to advance gender equality
-
BenQ PD3226G monitor reviewReviews This 32-inch monitor aims to provide the best of all possible worlds – 4K resolution, 144Hz refresh rate and pro-class color accuracy – and it mostly succeeds
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFANews Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
