A Russia-based group, Midnight Blizzard, also known as Nobelium, has hacked Microsoft’s employee emails, including those of senior staff, Microsoft revealed in a recent blog post.
“Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” explained the blog post.
This is not the first time Midnight Blizzard or Nobelium has targeted the company. Last year, Microsoft had accused it of using social engineering to carry out a cyberattack on Microsoft Teams.
Though the attack was initiated in late November 2023, it was detected only on January 12, 2024. “The incidence shows, like in earlier such cases, that even the most sophisticated cyber security systems are far from being adequate. The fact that the intrusion began in late November 2023 and was detected only around mid-January 2024, as per Microsoft’s blog post, makes such incidents even more alarming,” said Deepak Kumar, the founder analyst and chief research officer at BMNxt Business and Market Advisory.
A weak link in security?
Microsoft stressed that the attack was not because of a vulnerability in its products or services. “To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required,” the company blog post read.
However, analysts believe that possibly not enough was done to secure the email accounts of senior leadership. “The breach also hints at the possibility that best practices, such as zero-trust security, are not necessarily being applied to email accounts of senior leadership, who have been the primary targets in this case,” said Kumar. He added that a “weak link the security chain” might have led to the compromise of the employee emails.
There is a significant increase in cyberattacks led by Russia-based groups. Nobelium is believed to be part of Russia’s Foreign Intelligence Service or SVR and is known to target government organizations and NGOs in the US and Europe. Nobelium is also credited with carrying out the attack targeting SolarWinds customers in 2020, known to be one of the biggest cyberattacks.
Last month, US CISA issued an advisory that SVR is exploiting the vulnerability in JetBrains TeamCity software to target organizations. In view of the increasing intensity of cyberattacks, Microsoft announced Secure Future Initiative (SFI) last year, to better protect its customers. Now the company says it will “act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”