The software giant Microsoft has apparently once again fallen victim to a cyberattack. According to a new blog post by the company, a hacker group supported by the Russian state called Midnight Blizzard, also known as Nobelium, Cozy Bear, or APT29, gained access to an “old, non-productive test tenant account” through a password spraying attack as early as the end of November 2023.
Using the permissions of this account, the attackers were subsequently able to access “a very small percentage” of Microsoft’s corporate email accounts, including those of executives and employees in the cybersecurity and legal departments. Some emails and attached documents were exfiltrated during the breach.
Attackers spent weeks in Microsoft’s systems before being detected, likely operating within the mentioned email accounts for approximately one and a half months. Microsoft emphasizes that the cyberattack was not due to a vulnerability in any of its products. Furthermore, there is no evidence thus far of unauthorized access to customer environments, source code, production, or AI systems.
“We are currently in the process of notifying the employees whose emails were accessed,” the company stated. Initial investigations revealed that the hacker group was seeking information about itself. Details of the attack have not yet been shared by the company as investigations are ongoing.
In a report to the US Securities and Exchange Commission (SEC), Microsoft stated that the incident has not had any significant impact on the company’s operations thus far. Whether there will be consequences for the financial position or operating results of the company remains undetermined.
Questionable security practices seem to have been at play within Microsoft. The company’s description suggests that the aforementioned test account was protected by a weak password, allowing attackers to guess it using a list of commonly used passwords. Additionally, it appears there was no active two-factor authentication (2FA) in place, as access to the account would have been prevented despite the guessed password.
Lastly, the test account seemingly had extensive access rights, enabling Midnight Blizzard to gain access to real employee accounts within the company. The fact that access was effectively limited to “a very small percentage” of them likely aligns with the attackers’ objectives.
Midnight Blizzard is no stranger to cyberattacks. They were responsible for the prominent Sunburst attack at the end of 2020, where the Trojan was distributed through updates for SolarWinds’ monitoring and management software, Orion. Allegedly, Midnight Blizzard is connected to the Russian Foreign Intelligence Service (SVR).