News Hub

Midnight Blizzard continues targeting Microsoft in ongoing cyberattack

Written by Mon 11 Mar 2024

Microsoft has said Midnight Blizzard, a hacking group linked to Russia’s foreign intelligence, is trying to break into its systems using data stolen from corporate emails in January.

Reuters reported analysts expressed concerns regarding the safety of Microsoft’s services and systems. Microsoft provides digital services and infrastructure to the US Government.

On 8 March, Microsoft said it had seen evidence of Midnight Blizzard attempting to gain unauthorised access to its systems.

“This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised,” said Microsoft.

Microsoft added Midnight Blizzard is attempting ‘to use secrets of different types it has found’. Some of these secrets were shared between customers and Microsoft via email. Microsoft stressed it has been reaching out to affected users to take mitigating measures.

According to the Company, Midnight Blizzard has increased the volume of some aspects of the attack, like password sprays, by as much as tenfold in February, compared to the large volume Microsoft saw in January. 

A password-spraying attack involves a malicious actor trying the same commonly used password across multiple accounts before moving on to another. This method helps attackers avoid detection by avoiding numerous failed login attempts on a single account.

“Midnight Blizzard’s ongoing attack is characterised by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” said Microsoft. 

Microsoft added Midnight Blizzard may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. The Company said this reflects what has become more broadly an ‘unprecedented global threat landscape’.

To mitigate the risks of another breach, Microsoft has increased its security investments, cross-enterprise coordination and mobilisation, and will continue to put in place enhanced security controls, detections, and monitoring.

Midnight Blizzard’s Attack on Microsoft

In January, Microsoft detected a threat from Midnight Blizzard, an alleged Russia-based threat actor identified by the US and UK governments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR.

The company activated a response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. 

Microsoft said since November 2023, Midnight Blizzard used a password spray attack to compromise a legacy non-production test tenant account. This typically refers to an account created for testing and development purposes within a system or software environment.

The threat actor used the compromised account’s permissions to access a limited number of Microsoft corporate email accounts, including those of senior leadership, cybersecurity, legal, and other teams. 

The intruder exfiltrated some emails and attached documents during the incident. Microsoft’s investigation indicated the threat actor was initially targeting email accounts for information related to Midnight Blizzard itself.   

Join Cloud & Cyber Security Expo Frankfurt

22-23 May 2024, Messe Frankfurt

Cloud & Cyber Security Expo Frankfurt is one of the largest IT security events in Europe.

Don’t miss the chance to build partnerships and discover solutions to protect your business.

Written by Mon 11 Mar 2024

Send us a correction Send us a news tip