Microsoft announced today that it was hacked by "actors backed by the Russian state" called Midnight Blizzard, also known as Nobelium. This is the same hacker group suspected of being involved in the massive hack against the SolarWinds supply chain that occurred in 2020.
"Beginning in late November 2023, the threat actors gained a foothold by compromising a legacy non-production test tenant account using a password spray attack. They then used the privileges of that account to gain access to a small subset of Microsoft corporate email accounts, including members of our senior leadership team and employees in cybersecurity, legal, and other functions, and exfiltrated several emails and attachments," Microsoft wrote.
"According to our investigation, they initially targeted the email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose emails were accessed.
Microsoft said it detected the attack on January 12; it did not elaborate on what information Midnight Blizzard/Nobelium was looking for, but there is a long history between the two: 2021, after the Solarwinds hack, Microsoft posted a four-part blog/video series about the group. Pulling back the curtain on the NOBELUM incident and how Microsoft and world-class threat hunters from across the industry came together to take on the most sophisticated nation-state attack in history."
Microsoft has also taken an active role in countering Russian cyber attacks against Ukraine.
"Password-spreading" is a brute force attack, where hackers hit known valid usernames with common passwords in the hopes that someone will get lazy and use something like "1234". Automated systems are difficult to defend against, as they are often used to use a large number of passwords in a relatively short period of time, exploiting user vulnerabilities rather than system vulnerabilities.
From the website of online security firm Login Radius:
Hackers can target specific users and cycles using as many passwords as possible from either a dictionary or a compiled list of common passwords. Password dissemination is not a targeted attack, but rather one malicious actor obtaining a list of email accounts or accessing active directories and signing in to all accounts using a list of the most likely, popular, or common passwords until a hit Just try.
The key gist of password spraying is that user accounts with old or common passwords form a weak link that hackers can exploit to gain access to the network. Unfortunately, password spray attacks frequently succeed because many account users do not follow password protection best practices or choose convenience over security.
Microsoft essentially says the same thing, noting that the attacks "are not the result of vulnerabilities in Microsoft products or services." It currently has no evidence that hackers gained access to "customer environments, production systems, source code, or AI systems," and says it will notify customers each time further action is required.
Even so, this hack will have an impact: Microsoft says that the surge of state-sponsored hackers has forced it to reevaluate the "balance it must strike between security and business risk," and that "legacy systems owned by Microsoft and . will immediately apply current security standards to its internal business processes."
"While there will likely be some degree of disruption while we adjust to this new reality, this is a necessary step and just the first of several we will take to embrace this philosophy.
Microsoft has been at the center of numerous large-scale hacks in recent years: in 2021, the U.S. and other NATO countries accused China of sponsoring the hack of Microsoft Exchange servers; in 2022, a Lapsus$ attack led to the theft of Bing and Cortana source code was stolen. In 2023, the company's Azure platform was infiltrated by a Chinese hacking group that gained access to users' email accounts. As such, Tenable Chairman and CEO Amit Yoran accused the company of "repeatedly engaging in negligent cybersecurity practices that enabled Chinese espionage against the U.S. government."
.
Comments