The Russian-backed hacker group Midnight Blizzard was detected trying to infiltrate the tech giant’s corporate systems, Microsoft said in a disclosure report filed with the SEC Friday.
“The Microsoft security team detected a nation-state attack on our corporate systems on January 12th, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access,” Microsoft revealed in the January 19th filing.
The team identified the attacker as Midnight Blizzard, otherwise known in the security world as the Russian state-sponsored actor Nobelium, APT29, or Cozy Bear – and responsible for the SolarWinds hack that wreaked havoc on US government installations in 2020.
Microsoft said in November 2023, the group was able to use a password spray attack to gain access to a small portion of a “legacy non-production test tenant account.”
Password spraying is type of brute force attack, where the bad actors will continuously attempt to login to a system by using a default password on multiple user accounts .
Once in the system, Microsoft says the attackers elevated its privileges “to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.”
“This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard,” it said.
Microsoft's 'low-hanging fruit'
Mike Newman, CEO of identity and access management solutions firm My1Login, described the security breach as “alarming.”
He said the incident “highlights worrying flaws in Microsoft’s security processes,” referring to the threat actors successful use of a simple password spraying attack to get into Microsoft systems.
“This means Microsoft was using basic, or already compromised passwords, on some of their systems,” Newman pointed out..
"While Microsoft has claimed that the password spraying attack impacted a legacy non-production account, it still should never have been vulnerable to this sort of assault," he said.
“Regardless of whether a system is legacy, it should always be protected with modern security, and it should never present low-hanging fruit for attackers to compromise and pivot from,” explained Newman.
Microsoft did make clear that the “attack was not the result of a vulnerability in Microsoft products or services,” reiterating there was no evidence “the threat actor had any access to customer environments, production systems, source code, or AI systems.”
The Microsoft team also noted that the attackers were primarily focused on finding information about themselves, attempting to phish compromised employees through their Microsoft work email accounts.
Microsoft said they have shared the update as part of the commitment to the company’s newest security initiative, the “Secure Future Initiative (SFI).
Designed to advance “next generation of cybersecurity protection,” Microsoft said the Midnight Blizzard attack has highlighted the “urgent need to move even faster.”
The security fix
“We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes,” the company said.
Microsoft said the necessary upgraded security may cause some level of disruption in operations, which may be repeated over time.
Newman said the incident is yet another reminder of an organization's risks regarding insecure password exposure.
One single compromised password can provide an attacker access to a system and travel through its network, Newman said.
“Organizations need to learn from this incident, because if a tech giant like Microsoft can be breached so easily through passwords, so can they,” he said.
“One of the best ways to improve the security of passwords is through the use of effective Single Sign-On and Enterprise Password Management solutions. These technologies can be used to generate unique, random passwords for employees and systems, meaning they can never be guessed and are almost impossible to brute force,” Newman added.
As the investigation continues, Microsoft said it will provide updates on the incident to customers and clients when deemed appropriate and if required.
Employees email accounts who were targeted by the threat group are being notified.
Last February, the Russian cybercriminal gang was said to be behind a phishing campaign aimed at targeting EU government agencies giving aid to Ukraine, according to research by BlackBerry.
More from Cybernews:
Subscribe to our newsletter