Microsoft revealed that it fell victim to a nation-state attack on its corporate systems, resulting in the theft of emails and attachments from senior executives and individuals in cybersecurity and legal departments. The attack, attributed to the Russian APT group Midnight Blizzard (formerly Nobelium), employed a password spray attack to compromise a non-production test tenant account. The breach, detected on January 12, 2024, prompted immediate steps to investigate, disrupt, and mitigate the malicious activity. The campaign is estimated to have begun in late November 2023.
The threat actors, known for the high-profile SolarWinds supply chain compromise, accessed a small percentage of Microsoft corporate email accounts, including those of senior leadership and employees in cybersecurity and legal functions. Microsoft clarified that the attack was not the result of any security vulnerability in its products, and there is no evidence that the adversary accessed customer environments, production systems, source code, or AI systems. While the exact number of infiltrated email accounts and accessed information remain undisclosed, Microsoft is in the process of notifying impacted employees. The Microsoft Security Response Center emphasized the continued risk posed by well-resourced nation-state threat actors like Midnight Blizzard.
Midnight Blizzard, also identified as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes, previously targeted Microsoft twice, first in December 2020 to siphon source code related to Azure, Intune, and Exchange components, and later breaching three customers in June 2021 via password spraying and brute-force attacks. The company underscored the importance of vigilance against such threat actors. The disclosed incident highlights the persistent challenges organizations face from advanced nation-state cyber threats and emphasizes the need for robust cybersecurity measures to safeguard sensitive information and corporate systems.
