A notorious Russia-backed hacking group breached Microsoft’s systems last year and the tech giant has only just found out.
Microsoft has admitted to a major data breach of its corporate systems that saw the email accounts of senior leadership compromised for over a month in late-2023.
The company revealed that an allegedly state-backed Russian hacking group known as Midnight Blizzard or Nobelium was behind the attack. The outfit is well-known is cybersecurity circles and was responsible for the infamous SolarWinds hack of 2020, widely regarded as the worst supply chain attack of all-time.
According to Microsoft, a “password spray” attack was responsible for the new hack. A password spray is a form of brute force attack where threat actors systematically target multiple logins with the same password, moving on to a new password when one fails until they successfully breach the account or run out.
Microsoft Finally Detects Embarrassing November 2023 Breach
Writing in a new blog post, Microsoft admitted to only have registered the breach of its corporate systems on January 12, despite the bad actors first gaining access in late-November 2023.
It’s a major egg-on-face moment for Microsoft, not least because the success of a brute force spray attack means that Microsoft was not employing two-factor or multi-factor authentication (2FA / MFA) on its own systems, even though it recommends it as best practice to its customers for all types of accounts.
The hackers were able to successfully execute the attack by targeting legacy test accounts no longer in use by Microsoft, and therefore not protected by more robust security measures. As a result, a “small percentage” of corporate emails were able to be accessed for over a month, including those of members of Microsoft’s senior leadership and cybersecurity teams.
Microsoft is hardly alone in neglecting certain aspects of cybersecurity best practice: our recent Impact of Technology in the Workplace report found that the vast majority of businesses weren’t using simple tools like password managers and VPNs to fortify their defenses.
Why Did Nobelium Hack Microsoft’s Emails?
This is where things get interesting. Normally, when a data breach hits a major company, it’s as part of a ransomware attack whereby they threaten to sell or leak the stolen data unless they have a ransom demand paid.
In this instance, it looks like the hackers were target Microsoft’s emails to see what information the company might have held on it, rather than for personal gain.
“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” the tech giant writes on its Microsoft Security Response Center blog.
Microsoft to Lock Down Legacy Systems in Response
As a result of the hack, Microsoft added that it would be applying its “current security standards” to all of its legacy systems, even though such an undertaking would result in “some level of disruption.”
While some emails and documents were “exfiltrated” in the hack, the company said that there’s no suggestion the Midnight Blizzard crew were able to access customer environments or data – or anything to do with the company’s AI work on products like Copilot.
In addition to the Solar Winds hack of 2019/20, the Russian nation-state hackers are also understood to have been behind the 2015 attack on the Democratic National Convention. As well as Midnight Blizzard/Nobelium, they are associated with a number of other monikers including APT29 and Cozy Bear.