The Microsoft Security Response Center detected an intrusion by the Russian state-sponsored hacking group Midnight Blizzard (aka Nobelium), believed to be part of the SVR Foreign Intelligence Service: the same perpetrators behind the sophisticated SolarWinds attack in 2020.
The breach, discovered on 12th January, exposed the accounts of top executives, cybersecurity experts and legal team members, raising concerns over sensitive information exposure.
The attack apparently began in late November. Despite the lengthy amount of time the attackers were present in the system, Microsoft insists that that only a “very small percentage” of corporate accounts were compromised. However, the attackers managed to steal emails and attached documents during the incident.
Microsoft is currently notifying employees affected by the breach.
A regulatory filing submitted on Friday said the company had successfully revoked the hackers’ access from the compromised accounts on or about 13th January.
Hackers used legacy account
The breach was facilitated through a password spraying technique, which the hackers used to access a “legacy non-production test tenant account” with outdated code.
The attackers leveraged the account’s permissions to infiltrate accounts belonging to senior leaders and other targeted employees.
Microsoft said the breach did not stem from vulnerabilities in its products or services, and there is no evidence suggesting access to customer environments, production systems, source code or AI systems.
Who is Nobelium?
The Russian hacking group known as Nobelium is infamous for its sophisticated attacks. Microsoft, along with the US government, classifies the group as part of the Russian Foreign Intelligence Service, SVR.
Nobelium was responsible for one of the most significant breaches in US history, when it breached the US government by inserting malicious code into SolarWinds’ Orion software updates.
The gang has also breached cybersecurity firm FireEye, government agencies and IT service providers, as well as several attacks on the Ukrainian government during the ongoing war.
Microsoft’s disclosure comes one month after the implementation of a new US Securities and Exchange Commission rule, compelling publicly traded companies to share breaches that could impact their business within four days.
Microsoft said that, despite not believing the attack had a material impact, it wanted to adhere to the spirit of the new rules.
While the attack did not impact Microsoft customers directly and was not the result of a vulnerability in Microsoft’s systems, it adds to a series of cybersecurity challenges faced by the company.
Microsoft has been at the forefront of notable cyber incidents, including the SolarWinds attack: a flaw in Microsoft Exchange Server that led to the compromise of 30,000 organisations’ email servers in 2021; and Chinese hackers exploiting a Microsoft cloud vulnerability to breach US government emails last year.
Microsoft is now changing its approach to designing, building, testing and operating its software and services.
“As we said late last year when we announced Secure Future Initiative (SFI), given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient,” the company said.
“For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”
Wanda Parisien is a computing expert who navigates the vast landscape of hardware and software. With a focus on computer technology, software development, and industry trends, Wanda delivers informative content, tutorials, and analyses to keep readers updated on the latest in the world of computing.
