State-Sponsored Russian Hacking Group Attacked Microsoft Over Two Months

Last night, Microsoft announced that it recently detected an ongoing attack on its corporate computing systems that started in November. It has identified Midnight Blizzard, a Russian state-sponsored hacking group, as the responsible party.

“The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access,” The Microsoft Security Response Center writes in the announcement post. “There is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.”

Microsoft says that the attack was not triggered by a vulnerability its products and services. Instead, the hacker group used a “password spray attack” to compromise a legacy non-production test tenant account, which it used to access “a very small percentage of Microsoft corporate email accounts,” which included members of its senior leadership team and employees in its cybersecurity, legal, and other groups. The hackers were able to download some emails messages and attachments, and based on the initial analysis, it appears the hackers were trying to find out how much Microsoft knew about their group.

Microsoft announced in November its Secure Future Initiative (SFI), a modern Trustworthy Computing-like push to modernize and accelerate its response to today’s more sophisticated cyber-attacks. And of course, this event highlights that need nicely: Microsoft says that it will now move even faster to implement SFI in its legacy and internal business systems despite the disruption this may cause.

“Given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient,” Microsoft notes. “[Updating these systems now for SFI] is a necessary step, and only the first of several we will be taking to embrace this philosophy.”

Microsoft will continue investigating the hack and is working with law enforcement and regulators, and it pledges to share more information and what it learns from this episode so that its customers and partners can benefit from the experience as well.

You can learn more in Microsoft’s 8-K filing with the U.S. Securities and Exchange Commission (SEC).