Microsoft said a “Russian state-sponsored actor” attacked its corporate systems on January 12, successfully accessing the emails of “senior leadership” and staff working in its cybersecurity and legal departments.
The attackers breached a “legacy non-production test tenant account” through what it said was a “password spray attack” and then pivoted from there, using the account’s permissions, to get the email access.
Quite why a “legacy non-production test tenant account” gave an attacker access to the emails of senior leadership is a question that Microsoft will no doubt address in future updates. (Microsoft gave no further details about the “tenant” – a term that typically refers to a dedicated instance of the Azure Active Directory service that an organization receives when it signs up for a Microsoft cloud service, like the Microsoft 365 suite.)
Microsoft revealed the incident in a short blog late on Friday, January 19.
“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required” it said.
Microsoft email hack attributed to SVR-associated group
Microsoft attributed the attack to “Midnight Blizzard” – an entity also called Nobelium, APT29, or Cozy Bear by other organisations. It is believed to be run by Russia's Foreign Intelligence Service (SVR) – which successfully hit SolarWinds and then also Microsoft in 2021/early 2021.
The attackers initially appear to have been "targeting email accounts for information related to Midnight Blizzard itself" Microsoft said.
The incident comes as Microsoft has faced sustained pressure to improve its security performance after a string of incidents including the theft of a cryptographic key, used to then access the emails of at least 25 Microsoft customers including a wide range of US federal agencies, in 2023.
(The attacker, critics said, could potentially have been forging access tokens to customer Microsoft services for up to two years, unnoticed.)
See also: A powerful key was stolen from one of the world’s largest companies. It still has questions to answer.
In the wake of that incident, CISA Director Jen Easterly told Bloomberg that Microsoft should “recapture the ethos” of what Bill Gates' called “trustworthy computing” – saying that "I absolutely positively think they have to focus on ensuring their products are both secure by default and secure by design, and we are going to continue to work with them to urge them to do that."
Microsoft has since launched its “Secure Future Initiative” – a sweeping overhaul of its security practices, including software development.
The blog, attributed to Microsoft Security Response Center (MSCR) added: “Given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient. For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes. This will likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy.”
“We are continuing our investigation and will take additional actions based on the outcomes of this investigation and will continue working with law enforcement and appropriate regulators. We are deeply committed to sharing more information and our learnings, so that the community can benefit from both our experience and observations about the threat actor. We will provide additional details as appropriate” MSRC said.