Breach, Email security

Microsoft Admits Code Stolen in Midnight Blizzard Attacks

Microsoft logo at the company office building located in Munich, Germany

In early January, Microsoft revealed that a Russian-backed cyber syndicate had lifted information from the email accounts of some of its senior leadership team and employees in its cybersecurity, legal and other functions.

The actual event had occurred the prior November. The company has yet to identify the affected employees or disclose which emails and attached documents had been exfiltrated. In that case, the Midnight Blizzard (aka Nobelium) hackers lurked in Microsoft’s systems for months.

Now, in a security update and an 8-K filing, Microsoft provides more information on the incident Midnight Blizzard carried out by the same crew that orchestrated the high-profile SolarWinds attack. It’s also the same perpetrators that the vendor warned about in December 2020 in a four-part blog series.

In what it called an “ongoing” attack, Microsoft acknowledged in the latest update that the Nobelium intrusion had led to some source code being stolen.

“In recent weeks, we have seen evidence that Midnight Blizzard [Nobelium] is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” said Microsoft in a blog post.

The blog post continued, “Since the date of the original filing, [Microsoft] has determined that the threat actor used and continues to use information it obtained to gain, or attempt to gain, unauthorized access to some of the Company’s source code repositories and internal systems. The threat actor’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. Our active investigations of the threat actor’s activities are ongoing, findings of our investigations will continue to evolve, and further unauthorized access may occur."

It’s not clear what source code was taken. Midnight Blizzard is now attempting to use “secrets of different types it has found” to try to further breach the company and potentially its customers, Microsoft said.

“Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” the company said.

How Midnight Blizzard Attacks

Instead of exploiting software flaws and vulnerabilities, Midnight Blizzard attacks typically leverage password spray and phishing techniques to steal legitimate credentials and gain privileged access. In this instance, the hackers’ have increased its password sprays by roughly 10-fold in February, compared to the “large volume” Microsoft experienced the prior month, Microsoft said.

In its blog post, Microsoft said that it had “found no evidence that Microsoft-hosted customer-facing systems have been compromised.” The company additionally said that it did not believe the events rose to the standard of materiality as required by the SEC in a cybersecurity disclosure regulation that went into effect on December 18, 2023.

In response to the attack, Microsoft said it has “increased its security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat.”

Microsoft has drawn withering criticism recently for lax security measures and unsatisfactory adherence to best practices. Tenable chief executive Amit Yoran called the Midnight Blizzard breach a “strategic blow” to the company.

“Midnight Blizzard isn’t some small-time criminal gang. They are a highly professional, Russian-backed outfit that fully understands the value of the data they’ve exposed and how to best use it to inflict maximum harm,” said Yoran. “Given Russia’s relationship with China and other strategic adversaries, the consequences get very troubling, very quickly.”

In referencing Midnight Blizzard’s password spray attacks on Microsoft, AJ Lindner, One Identity solutions architect, said that “password spray attacks only succeed due to the use of weak or common passwords — typically pulled from already-existing breach repositories with usernames generated from publicly —available sources like LinkedIn. Threat actors like Midnight Blizzard only need to be successful once, which is why enterprises need to ensure that security policies do not permit their employees to use the most likely passwords to be vulnerable to spraying, like ‘password1!’ or ‘Microsoft2’.

Picking on Microsoft Continues

In recent years, Microsoft has been at the center of a number of large-scale intrusions. Three years ago, hackers exploited a Microsoft Exchange Server flaw to break into the email servers of tens of thousands of organizations.

Last year, Chinese operatives broke into the email boxes of federal agencies, individuals and organizations. In that instance, U.S. Senator Ron Wyden (D-OR) tagged Microsoft with responsibility for the espionage operation, accusing the company of “negligent cybersecurity practices."

More than a year ago, Microsoft called Midnight Blizzard an “advanced and persistent adversary because of its tenacious attacks and ever-evolving TTPs.”

Most attackers, Microsoft said, “play an impressive game of checkers, but increasingly we see advanced persistent threat actors playing a masterclass-level game of chess.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.