Incursions by state sponsored hackers are becoming at least an annual occurrence for Microsoft, and 2024 already has a security breach in the books as the Microsoft Security Response Center (MSRC) has announced that one of Russia’s top hacking teams stole corporate emails.
The incident actually began sometime in November last year, but Microsoft did not detect and remediate the breach until January 12. The incursion was the work of the group formerly known as “Cozy Bear” or “NOBELIUM,” which MSRC now refers to as “Midnight Blizzard” under its new weather-based system of threat actor names. While a break-in by a group of state sponsored hackers this experienced might initially seem understandable, the security breach was eventually traced back to a simple password spray on a legacy test account with some questionable permissions.
Multiple Microsoft breaches by Russian and Chinese state sponsored hackers within two years
The incident continues a chain that includes the mid-2023 breach of Microsoft 365 email accounts by a Chinese APT group, and a 2022 security breach also thought to involve Russian state sponsored hackers.
All of this has caused some in the US government, most prominently Kansas Senator Ron Wyden, to question the security of their relationship with Microsoft. The fact that a legacy test account was abused with a relatively trivial password spray attack in this case is certainly not going to improve Microsoft’s standing.
“Midnight Blizzard” certainly doesn’t need much of an opening. Thought to be directed by the Russian Foreign Intelligence Service (SVR), the group has been a persistent pain for the US government dating back over two decades now. It already had SolarWinds, the leak of Democratic National Committee emails, and a successful attack on the Pentagon on its resume. If a deprecated test account with far-ranging email access is hanging around in a high value target’s network, a group like this is inevitably going to find it.
It is difficult for any organization (much less the US government) to divest from Microsoft’s range of hardware and software products, but these repeated security breach incidents seem to have some at least kicking the idea around. The company is one of a relative few that, because of its position, absolutely must keep state sponsored hackers at bay.
Security breach could have been much worse
Microsoft’s communications make this sound as if it was a relatively minor incident, but if it was it is mostly owed to the restraint of the state sponsored hackers. The Russians only seemed to be interested in learning what Microsoft’s security team knows about them, selectively targeting certain email accounts and attachments. However, this did include members of senior leadership and cybersecurity staff.
Thus far there is no word of Microsoft customers suffering any fallout from this particular security breach, and the company says its production systems and AI projects remain secure. It is also claiming no material impact from the incident.