A Microsoft spokesman reported that the Russian government-backed hacking team that broke into its corporate network and spied on senior executives also stole source code and may still be poking around its internal computer systems. In what is being described as an “ongoing attack,” the world’s largest software maker says it has evidence the hacking group “is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access.” This has included access to some of the company’s source code repositories and internal systems. The company did not provide any additional details on the source code access or which internal systems had been breached. “To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised,” the representative said.
Microsoft said it is apparent that Midnight Blizzard is still attempting to use secrets of different types that were shared between customers and Microsoft in email in additional attacks. “[As] we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” the company said, warning that the hacking group has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.
See: https://redskyalliance.org/xindustry/microsoft-warns-of-apt29-espionage-attacks
“[The hackers] may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks,” the company said. The latest twist comes less than a month after the Midnight Blizzard hackers were caught in Microsoft’s corporate network spying on emails and attachments from senior executives and targets in the cybersecurity and legal departments.
The APT, which has also been blamed for the SolarWinds supply chain hack, used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts. “[They] exfiltrated some emails and attached documents,” Microsoft said in a filing with the Securities and Exchange Commission (SEC).
The company said its security team detected the nation-state attack on its corporate systems on January 12, 2024 and traced the infection back to November 2023. The discovery of Russian hackers in Microsoft’s network comes less than six months after Chinese cyber spies were caught forging authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes.
That hack, which led to the theft of email data from approximately 25 government organizations in the United States, is currently being investigated by the CISA Cyber Security Review Board (CSRB). Midnight Blizzard/Nobelium (AKA APT29 and Cozy Bear by others) is the same group that was attributed to hacking IT management solutions provider SolarWinds in a massive supply chain attack in 2020.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments