Microsoft has revealed that a state-sponsored Russian hacking group, known as Midnight Blizzard, accessed some of its corporate email accounts and stole some emails and documents from senior executives and employees working in security and legal teams.
The breach, which occurred in late November 2023 and was discovered on January 12, 2024, was the result of a password spraying attack, a technique that involves trying common or compromised passwords across multiple accounts until one of them works.
According to Microsoft, the hackers compromised a legacy non-production test account that had weak credentials and no two-factor authentication. They then used the account’s permissions to access other accounts that belonged to members of the senior leadership team and other functions.
Microsoft said that only a very small percentage of its corporate accounts were affected and that there was no evidence that the hackers had any access to customer environments, production systems, source code, or AI systems.
The company also said that it was able to remove the hackers’ access from the compromised accounts on or about January 13, 2024, and that it was in the process of notifying the affected employees.
The hacking group, which Microsoft calls Midnight Blizzard, is also known as APT29, Nobelium or Cozy Bear by cybersecurity researchers and linked to Russia’s SVR spy agency, according to US officials. The group is responsible for numerous other high-profile attacks, including the 2020 SolarWinds breach that affected several US government agencies and private companies.
Microsoft said that this attack highlighted the continued risk posed by well-resourced nation-state threat actors like Midnight Blizzard and urged all organisations to follow basic security hygiene practices, such as using strong passwords, enabling two-factor authentication, and applying security updates.
The company also said that it was working with law enforcement and other partners to investigate and respond to this incident and that it would share more details as they become available.