Microsoft Discloses Breach by Russian State-Backed Hackers

Microsoft revealed that its corporate email system was breached by state-backed Russian hackers, resulting in unauthorized access to accounts held by key leadership and teams responsible for cybersecurity and legal matters. The intrusion, which began in late November, was only detected on January 12 and has been attributed to the same highly skilled Russian hacking group responsible for the SolarWinds cyberattack.

Although Microsoft indicated that only “a very small percentage” of its corporate accounts were compromised, it acknowledged that specific emails and associated documents were accessed. While the company refrained from specifying the exact members of its senior leadership whose email accounts were breached, it assured that access to the compromised accounts was successfully revoked around January 13.

Microsoft is currently in the process of informing employees whose email accounts were accessed, emphasizing that the hackers initially targeted email accounts for information related to their activities. The company also stated that the breach has not materially impacted its operations, as indicated in a regulatory filing with the U.S. Securities and Exchange Commission (SEC).

The hackers reportedly gained access by compromising credentials on a “legacy” test account, revealing potential vulnerability in outdated code. This initial access allowed the hackers to exploit the account’s permissions and gain access to the accounts of the senior leadership team and other employees. The attack technique, which is referred to as “password spraying,” is using a single common password to attempt to log into multiple accounts. It is crucial to note that Microsoft clarified that the attack was not due to any vulnerability in its products or services. Furthermore, there is no evidence suggesting that the threat actors gained access to customer environments, production systems, source code, or AI systems. Nevertheless, the company assured that it would promptly notify customers if any action is required. The hacking unit responsible for the breach has been named “Midnight Blizzard” by Microsoft and was referred to as “Nobelium” before the company revamped its threat-actor nomenclature. Notably, cybersecurity firm Mandiant, a subsidiary of Google, identifies the group as “Cozy Bear.”

This breach adds to the notoriety of the SolarWinds hacking campaign, which Microsoft previously labeled as “the most sophisticated nation-state attack in history.” The campaign compromised numerous U.S. government agencies, private companies, and think tanks, including software and telecommunications providers.

The primary focus of the SVR, Russia’s foreign intelligence agency, is intelligence-gathering, with a particular emphasis on targeting governments, diplomats, think tanks, and IT service providers in the U.S. and Europe. This breach serves as a reminder of the ongoing threat posed by sophisticated state-backed cyber actors, highlighting the critical importance of robust cybersecurity measures in the modern digital landscape.