Microsoft said that Kremlin-backed hackers stole its proprietary source code during a January breach of its corporate network and is now using it and other secrets in follow-on attacks against customers.
The intrusion, which the software company disclosed in January, was carried out by Midnight Blizzard, the name used to track a hacking group widely attributed to the Federal Security Service, a Russian intelligence agency. Microsoft said at the time that Midnight Blizzard gained access to senior executives’ email accounts for months after first exploiting a weak password in a test device connected to the company’s network. Microsoft went on to say it had no indication any of its source code or production systems had been compromised.
Unprecedented global threat
In an update published Friday, Microsoft said it has since uncovered evidence that Midnight Blizzard did, in fact, access “some of the company’s source code repositories and internal systems.” The hacking group—which is tracked under multiple other names, including APT29, Cozy Bear, CozyDuke, The Dukes, Dark Halo, and Nobelium—has been using the proprietary information in follow-on attacks, mainly against Microsoft customers.
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found,” Friday’s update said. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
In January’s initial disclosure, Microsoft said Midnight Blizzard used a password-spraying attack to compromise a “legacy non-production test tenant account” on the company’s network. Those details meant that the account hadn’t been removed once it was decommissioned, a practice that’s considered essential for securing networks. The details also meant that the password used to log in to the account was weak enough to be guessed by sending a steady stream of credentials harvested from previous breaches—a technique known as password spraying. In the months since, Microsoft said Friday, Midnight Blizzard has stepped up the spraying in more follow-on attempts to gain access to targeted networks.
“Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024,” the update said. It continued:
Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.
Microsoft said it has increased spending on security and “enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat.” The statement didn’t say what those enhancements were.
The attack began in November and wasn’t detected until January. Microsoft said then that the breach allowed Midnight Blizzard to monitor the email accounts of senior executives and security personnel, raising the possibility that the group was able to read sensitive communications for as long as three months. Microsoft said one motivation for the attack was for Midnight Blizzard to learn what the company knew about the threat group. Microsoft said at the time and reiterated again Friday that it had no evidence the hackers gained access to customer-facing systems.
Midnight Blizzard is among the most prolific APTs, short for advanced persistent threats, the term used for skilled, well-funded hacking groups that are mostly backed by nation-states. The group was behind the SolarWinds supply-chain attack that led to the hacking of the US Departments of Energy, Commerce, Treasury, and Homeland Security and about 100 private-sector companies.
Last week, the UK National Cyber Security Centre (NCSC) and international partners warned that in recent months the threat group has expanded its activity to target aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.
+ There are no comments
Add yours