In a Friday regulatory filing, Microsoft has reported that its corporate email accounts were compromised by a Russian state-sponsored hacking group known as Midnight Blizzard, also identified as Nobelium or APT29. Microsoft's disclosure aligns with new U.S. requirements for reporting cybersecurity incidents. The attack was detected on January 12th, 2024, but it appears to have started in November 2023.
The Breach and Attack
The attack involved Russian hackers using a password spray attack to access a legacy non-production test tenant account at Microsoft. Password spraying is a brute force technique where attackers attempt to log in using a list of potential usernames and passwords.
This indicates that the breached account did not have two-factor authentication (2FA) or multi-factor authentication (MFA) enabled, a security practice recommended by Microsoft. Once the hackers gained access to the test account, they used it to access a "small percentage" of Microsoft's corporate email accounts over a month.
Notably, the targeted email accounts included members of Microsoft's leadership team, as well as employees in cybersecurity and legal departments. Microsoft emphasized that this breach was due to a brute force password attack and not a vulnerability in their products or services.
About Nobelium (aka Midnight Blizzard, APT29)
Nobelium is a Russian state-sponsored hacking group, believed to be associated with Russia's Foreign Intelligence Service (SVR). They gained notoriety for their involvement in the 2020 SolarWinds supply chain attack, which impacted both Microsoft and several U.S. government agencies.
Nobelium is known for conducting cyber espionage, data theft, and developing custom malware for their attacks.
Microsoft stated that the breach did not result in the theft of customer data, access to production systems, or proprietary source code.
Response and Impact
Microsoft is actively investigating the breach and will provide additional details as appropriate. The company has affirmed that the breach did not have a material impact on its operations. The Cybersecurity and Infrastructure Security Agency (CISA) is working closely with Microsoft to assess the incident's impact and protect potential victims. There is no evidence of the hackers accessing customer data or critical systems.
This incident underscores the importance of robust cybersecurity practices, including enabling 2FA/MFA, to protect against password-based attacks. And you might also train your users to create strong pass-phrases...