In a regulatory filing released on Friday, Microsoft revealed that a state-sponsored Russian hacking group, identified as Midnight Blizzard (also known as Nobelium), had successfully accessed email accounts of senior leaders within the company.
The breach, detected by the Microsoft security team on January 12, 2024, prompted an immediate response to investigate and counter the malicious activity. Midnight Blizzard, notorious for the 2020 SolarWinds breach, was identified as the threat actor behind the latest attack.
According to a blog post from the Microsoft Security Response Center, the hackers infiltrated a small percentage of corporate email accounts, specifically targeting senior leadership, as well as employees in cybersecurity and legal departments. The intrusion allowed the hackers to exfiltrate some emails and attached documents.
Microsoft clarified that the preliminary investigation suggests the attackers were focused on obtaining information related to Midnight Blizzard itself, a pattern reminiscent of their previous actions during the SolarWinds breach.
The company reassured that no evidence indicates the hackers accessed customer environments or AI systems. Microsoft is currently in the process of notifying affected employees.
The attack, initiated in late November 2023, utilized a “password spray attack” to gain an initial foothold. Password spraying involves attempting to access numerous accounts using commonly known passwords.
Microsoft emphasized its ongoing collaboration with law enforcement and regulators, pledging to share additional information publicly as the investigation progresses. The company underscored the persistent risk posed by well-resourced nation-state threat actors like Midnight Blizzard.
This incident marks another high-profile hacking attempt on Microsoft systems. The Cybersecurity and Infrastructure Security Agency has not yet responded to requests for comment, while the FBI acknowledged the incident and expressed its commitment to assisting victims of cyber incidents.
