Microsoft has revealed that Russian state-sponsored hacker group Midnight Blizzard gained access to internal systems and source code repositories during a cyber attack in January.
The tech giant said its security team had detected the attack on 12 January 2024 and triggered its response process to prevent any further access into its systems and mitigate potential damage.
Identified as Midnight Blizzard, the group are believed to have used a password spray attack to compromise a legacy non-production test tenant account and gain initial access.
From here, the attackers were able to access a small percentage of Microsoft corporate email accounts , including its senior leadership team and staff in its security, legal, and other functions, according to an update published on 19 January.
The update added that the attack was not the result of a vulnerability in Microsoft products or services.
In its latest update, released on 8 March 2024, Microsoft said it has seen evidence that the group is using information exfiltrated from its corporate email systems to try and get unauthorized access to both Microsoft and customer networks.
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found,” the company said in a blog post. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
The company described the attack as characterized by a sustained, significant commitment of the group’s resources, coordination, and focus. It speculated the threat actors may be using the information to build a better picture with which they plan future attacks or enhance its offensive capabilities.
Microsoft also noted Midnight Blizzard has ramped up the volume of certain aspects of the attack, such as password sprays, by roughly a factor of ten in February, compared to the levels observed in January.
Who are Midnight Blizzard?
Midnight Blizzard, also known as Nobelium, APT29, and Cozy Bear, are understood to be a Russian state-sponsored threat actor group, with close links to the country’s Foreign Intelligence Service (SVR).
The group initially rose to prominence in 2013 after the first samples of the MiniDuke malware began circulating the dark web, according to analysis by Kaspersky Labs.
Since then the group has been responsible for a number of cyber attacks, notably targeting predominantly NATO member states.
In 2015, Midnight Blizzard gained access to networks at the Pentagon via a spear phishing attack on its email servers, leading to a total shutdown of the Joint Staff unclassified email stem, as well as internet access in the building.
The following year the group were also able to compromise the servers of the Democratic National Convention (DNC) within months of the 2016 US election.
Since then both the Norwegian and Dutch governments have been affected by attacks from the collective, and forced the Dutch general election in 2017 to revert to hand counting to avoid potential tampering concerns.
In addition to the January attack on Microsoft, the group also gained unauthorized access to HPE’s cloud-hosted email environment. Midnight Blizzard was able to access several SharePoint files on the HPE system, according to the company’s SEC filing.