In a recent blog post, Microsoft revealed that state-backed Russian hackers successfully broke into its corporate email system and gained access to various accounts. The intrusion reportedly began in late November but was only discovered on January 12th. This highly skilled hacking team, believed to be responsible for the SolarWinds breach, targeted the accounts of the company’s leadership team, as well as employees from the cybersecurity and legal departments. While Microsoft stated that only a small percentage of accounts were accessed, some emails and attached documents were stolen as a result. The company spokesperson did not provide specific details regarding which members of the senior leadership team were affected by the breach.
Response and Investigation
Upon discovering the breach, Microsoft promptly took action to remove the hackers’ access from the compromised accounts. By January 13th, the necessary security measures were implemented. The company is currently in the process of notifying employees whose email accounts may have been accessed during the incident. Additionally, Microsoft clarified that the hacking team was primarily targeting email accounts in search of information related to their activities.
Microsoft’s disclosure of this breach comes shortly after the implementation of a new U.S. Securities and Exchange Commission (SEC) rule. Under this rule, publicly traded companies are required to disclose any breaches that could potentially negatively impact their business. They must do so within four days, unless they receive a national-security waiver. In Microsoft’s recent regulatory filing with the SEC, it stated that, as of the filing date, the incident had not caused a material impact on its operations. However, the company has not yet determined whether the breach will have a significant financial impact.
The Hackers’ Methods
According to Microsoft, the Russian hackers gained access to the corporate email system by compromising credentials on a “legacy” test account that had outdated code. They then utilized the permissions of this account to access the accounts of the senior leadership team and others within the organization. The hacking technique employed by the threat actors is known as “password spraying.” This technique involves using a single common password to attempt to log into multiple accounts. Microsoft previously highlighted this method in an August blog post, revealing that the same Russian hacking team had attempted to steal credentials from numerous global organizations through Microsoft Teams chats.
Reassurance and Attribution
Microsoft emphasized that the breach was not a result of any vulnerabilities in its products or services. To date, there is no evidence indicating that the hackers gained access to customer environments, production systems, source code, or AI systems. If any necessary action is required from customers, Microsoft has assured that they will be promptly notified. The hacking unit behind this breach is referred to as Midnight Blizzard by Microsoft, while cyber security firm Mandiant, owned by Google, calls the group Cozy Bear. It’s worth noting that prior to rebranding, Microsoft had referred to this group as Nobelium.
Microsoft described the SolarWinds hacking campaign, believed to be orchestrated by the same group, as the most sophisticated nation-state attack in history. This campaign targeted not only U.S. government agencies but also more than 100 private companies and think tanks, including software and telecommunications providers. The primary focus of the Russian intelligence agency, known as SVR, is intelligence-gathering, primarily targeting governments, diplomats, think tanks, and IT service providers in the U.S. and Europe.
The breach of Microsoft’s corporate email system by state-backed Russian hackers highlights the persistent and evolving threats posed by cyber actors. The company’s rapid response and ongoing investigation demonstrate their commitment to addressing and mitigating such incidents. It serves as a reminder to organizations of all sizes to prioritize robust cybersecurity measures to protect sensitive information and maintain operational resilience in the face of growing cyber threats.