Microsoft revealed on Friday that it was the target of a nation-state attack on its corporate systems, which resulted in the theft of emails and attachments from senior executives and other individuals in the company’s cybersecurity and legal departments.
The Windows maker attributed the attack to a Russian advanced persistent threat (APT) group it tracks as Midnight Blizzard (formerly Nobelium), which is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.
It further said that upon discovery on January 12, 2024, it immediately took steps to investigate, disrupt and mitigate the malicious activity. The campaign is estimated to launch in late November 2023.
“The threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” Microsoft said.
Redmond said the nature of the targeting indicates that the threat actors were looking to access information related to themselves. It also stressed that the attack was not the result of any security vulnerabilities in its products and there is no evidence that the adversary accessed customer environments, production systems, source code or AI systems.
However, the computing giant did not disclose how many email accounts were breached and what information was obtained, but said it was in the process of notifying employees who were affected as a result of the incident.
The hacking outfit, which was previously responsible for the high-profile SolarWinds supply chain compromise, has singled out Microsoft twice, once in December 2020 to siphon source code related to Azure, Intune, and Exchange components, and a second time breaching three of its customers in June 2021 via password spraying and brute-force attacks.
“This attack highlights the continued risk posed to all organizations by affluent nation-state threat actors like Midnight Blizzard,” the Microsoft Security Response Center (MSRC) said.