Microsoft has disclosed an interesting campaign targeting their executives. Turns out the attackers were looking for information related to what Microsoft knew about them. But let’s be honest, they were looking for intelligence on themselves, as well as anything else they can get their hands on.
Either way, while some are wanting to mock the software giant for getting popped (and I get it, password spraying shouldn’t work, and test systems should be pulled down the moment they stop being used), there isn’t much anyone can do against an adversary that has unlimited time and budget.
Source: Reuters, DW, Voice of America, Microsoft, Microsoft 8-K
According to a recent 8-K filing, Microsoft said a nation-state associated threat actor known as Midnight Blizzard (see also: APT29, Nobelium, Cozy Bear), gained unauthorized access to its corporate systems in late-November 2023.
This attack resulted in the exfiltration of data from a small yet critical subset of employee email accounts. Notably, this breach included email accounts of members of Microsoft’s senior leadership team and key personnel in cybersecurity, legal, and other functions.
Microsoft’s investigation into the breach revealed that the hackers’ primary objective was to gather intelligence on what Microsoft knew about their operations. This focus on self-information rather than customer data or Microsoft’s internal systems underscores the espionage nature of the attack. Despite the breach, Microsoft confirmed that there was no evidence of the threat actor gaining access to customer environments, production systems, source code, or AI systems.
The attack’s discovery on January 12, 2024, triggered a quick response by Microsoft’s security team, and by January 13, the company had successfully eradicated the threat actor’s access to the compromised email accounts. Microsoft is currently conducting a thorough examination of the accessed information to assess the full impact of the incident. This ongoing investigation aims to understand the extent of the breach and its implications.
As of the latest update, Microsoft has reported that this incident has not had a material impact on the company’s day-to-day operations. However, the company has yet to conclude whether the breach will materially affect Microsoft’s financial condition or operational results.
The incident highlights the continued risk posed by well-resourced nation-state actors like Midnight Blizzard. The 8-K filing was issued to align with the new U.S. Securities and Exchange Commission (SEC) regulation that mandates publicly-owned companies to disclose significant cyber incidents within four days of determining that a breach is material.
Midnight Blizzard is linked to Russia’s Foreign Intelligence Service (SVR), an agency infamous for its high-profile intrusions, including the 2016 Democratic National Committee breach. The group primarily targets intelligence-gathering operations against governments, diplomats, and think tanks, particularly in the U.S. and Europe.