Microsoft has now confirmed that the Russian cyberspies who broke into its executives’ email accounts stole source code and gained access to internal systems. The Redmond giant has characterized the intrusion as “ongoing.”
In an updated US Securities and Exchange filing and companion security post, Microsoft provided more details about the breach, which it originally disclosed in January.
At that time, Microsoft said Midnight Blizzard — the Kremlin-backed grew also known as Cozy Bear and APT29 that was behind the SolarWinds supply chain attack — snooped around in “a very small percentage of Microsoft corporate email accounts” and stole internal messages and files belonging to the leadership team, cybersecurity and legal employees.
“There is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” Redmond said in January.
That has since changed.
“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” according to the latest disclosure. “This has included access to some of the company’s source code repositories and internal systems.”
Microsoft maintains that there’s “no evidence” so far that the Russian criminals compromised any customer-facing systems. But that’s not for lack of trying.
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found,” the company admitted. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
It also sounds like this is not the last we’ll hear about the break-in, which started in November and used password spray attacks to compromise a corporate account that did not have multi-factor authentication enabled.
The spies are still trying to access additional Microsoft accounts, and we’re told the volume of password sprays increased ten-fold in February compared to the volume of such attacks seen in January.
The silver lining, according to Microsoft’s updated Form 8-K, is that the security snafu hasn’t had any financial impact on operations — yet.
Redmond says its investigation is ongoing and promised to share updates.
“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” the security updated said. “It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.” ®