In brief: Midnight Blizzard/Russia's SVR breached Microsoft's source code repositories using credentials stolen from emails and customer emails it accessed in a January 19 attack and is ramping up attacks on customers.
Microsoft says hackers successfully accessed its “source code repositories and internal systems” after breaching its corporate emails in January.
On January 19 Microsoft said that a “Russian state-sponsored actor” it calls Midnight Blizzard had accessed “a very small percentage of Microsoft corporate email accounts” including those of its cybersecurity leadership.
On January 25 it then detailed how the attack had happened.
See also: How Russian spooks hacked Microsoft, the gap in its “morally indefensible” response, and what CISOs can learn from the attack
But today (March 8) Microsoft Security Response Center admitted the attackers had penetrated deeper than previously revealed and that customers were now also being attacked using data stolen in the raid.
"In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised" – MSRC. March 8. 2024.
As well as accessing Microsoft’s own source code and internal systems, “it is apparent that Midnight Blizzard is attempting to use secrets of different types it has found” MSRC said in a short and heavily-legalled blog.
“Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024,” it added.
Don't miss out on breaking news, CISO & CIO interviews & more. Subscribe to The Stack today.
“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”
Saying it is increasing its own security investments and has “enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat”, Microsoft added that its investigations are ongoing and “findings of our investigations will continue to evolve."
That sounds like more bad news may be on the horizon.
The Stack has written more about how the attack happened here.
Beyond highlighting that it is seeing heavy password spray attacks, MSRC did not publicly share any indicators of compromise or any further new detail for threat hunters publicly in its latest update on the activity.
Midnight Blizzard is also known as Nobelium, APT29, or Cozy Bear. It is believed to be run by Russia's Foreign Intelligence Service (SVR) – which successfully hit SolarWinds and then also Microsoft in 2020/early 2021.
In other news the National Security Agency (NSA) this week released its “Top Ten Cloud Security Mitigation Strategies” that explicitly calls for customers to "perform penetration tests on their cloud tenants in accordance with CSP terms of service" and "actively hunt for intrusions in the cloud."
