News Hub

Microsoft attributes hacking to Russian state-sponsored Midnight Blizzard

Written by Tue 23 Jan 2024

Image Credit: Reuters

Microsoft said a Russian state-sponsored group, Midnight Blizzard, is responsible for hacking into corporate systems and stealing documents from staff accounts. 

On 12 January, Microsoft detected a threat from Midnight Blizzard, also known as Nobelium. Midnight Blizzard is an alleged Russia-based threat actor identified by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.

The company activated a response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. 

Microsoft said since November 2023, Midnight Blizzard used a password spray attack to compromise a legacy non-production test tenant account. This typically refers to an account created for testing and development purposes within a system or software environment.

The threat actor used the compromised account’s permissions to access a limited number of Microsoft corporate email accounts, including those of senior leadership, cybersecurity, legal, and other teams. 

The intruder exfiltrated some emails and attached documents during the incident. Microsoft’s investigation indicated the threat actor was initially targeting email accounts for information related to Midnight Blizzard itself.  

Microsoft is in the process of notifying employees whose email was accessed. The company stressed the attack was not the result of a vulnerability in Microsoft products or services.  

“To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required,” said Microsoft.

Al Lakhani, CEO of passwordless authenticator company, IDEE, questioned Microsoft’s ability to keep their users safe.

Lakhani said: “When even tech behemoths like Microsoft cannot protect themselves against as common a threat as password spraying, how can their customers trust in their cyber solutions? Or, for that matter, in Microsoft’s ability to keep their systems and data safe?”

Lakhani added organisations should invest in solutions founded on strong digital identity proofing and transitive trust. This will allow businesses to improve their security and productivity with the least amount of time and resources.

“If you continue to rely on the centralised storage of credentials, and focus on detection rather than prevention, then you’re a sitting duck … The only thing we can hope is that high-profile breaches like this shock businesses into action,” said Lakhani.

Microsoft Commits to Improving Security Standards

Microsoft said it will act immediately to apply its current security standards to Microsoft-owned legacy systems and internal business processes. This will be implemented even when these changes may disrupt existing business processes.

“Given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk. The traditional sort of calculus is simply no longer sufficient,” added Microsoft.

Microsoft said this process will likely cause some level of disruption while the company adapts to this ‘new reality’.

“This is a necessary step, and only the first of several we will be taking to embrace this philosophy,” said Microsoft.

Microsoft added it will continue its inquiry and take additional actions based on the investigation outcomes. The company is currently collaborating with law enforcement and the appropriate regulators.

“We are deeply committed to sharing more information and our learnings so that the community can benefit from both our experience and observations about the threat actor,” said Microsoft.

The company said it will provide additional details as appropriate.

Last year Microsoft announced the Secure Future Initiative (SFI) to enhance cybersecurity protection. The initiative will focus on AI-based cyber defences, advances in fundamental software engineering, and advocacy for stronger application of international norms to protect civilians from cyber threats.

Organisations Battle Alleged Russian Cyberattacks

In December, the UK attributed ‘sustained unsuccessful’ cyber attempts to interfere in UK political processes to the Russian Federal Security Service, the successor to the KGB. As a result, the UK has sanctioned two members of the Russian hacking group, Star Blizzard.

In the same month, The Guardian reported the nuclear fuel reprocessing site, Sellafield, suffered a cyberattack by cyber groups linked to Russia and China on 4 December. Sellafield denied the attacks as described in The Guardian.

In October, Russian hackers led a cyberattack that forced the Royal Family website offline.

In June, a cybercrime gang, believed to be based in Russia, warned major British companies, including the BBC, British Airways, and Boots to email them before 14 June, or stolen data from a MOVEit hack will be published.

Netacea research has revealed that most bot attacks now come from Russia and China.

The financial impact is greater than ever, costing each company £67.3 million ($85.6 million) every year. This is the equivalent of over 50 average ransomware payouts, or the 8th highest-ever GDPR fine.

The report, Death by a Billion Bots, surveyed 440 businesses with an average online revenue of £1.4 billion ($1.9 billion) across the travel, entertainment, ecommerce, financial services and telecoms sectors in the US and UK.

Join Cloud & Cyber Security Expo

6-7 March 2024, ExCeL London

Cloud & Cyber Security Expo is one of the largest IT security events in Europe.

Don’t miss the chance to build partnerships and discover solutions to protect your business.

Written by Tue 23 Jan 2024

Send us a correction Send us a news tip