Microsoft acknowledges state-backed Russian hackers breached senior leaders’ emails
- March 27, 2024
- 12:05 pm
State-backed actors breach Microsoft's email system, compromising sensitive data.
This blog post opens with a concerning revelation: Microsoft, a tech giant, has been targeted by Russian hackers affiliated with a state-sponsored group. The attack, which began in late November 2023 and was discovered in January 2024, compromised the email accounts of several key personnel, including members of the leadership team, cybersecurity specialists, and legal staff.
While Microsoft asserts that only a small number of corporate accounts were breached, the potential consequences of sensitive emails and documents being stolen by such a sophisticated group are significant. This blog post will delve deeper into the details of the attack, its potential impact, and any relevant developments.
Breach Details and Microsoft's Response
While Microsoft declined to specify which or how many members of its senior leadership team were affected, a regulatory filing revealed that the company successfully removed hacker access from compromised accounts around January 13th, 2024.
Furthermore, Microsoft confirmed that they are currently notifying employees whose emails were accessed.
The company’s investigation suggests that the hackers initially targeted specific email accounts to gather information related to their activities, implying a potential attempt to gain further intelligence or leverage their access for other purposes.
This information provides a glimpse into the ongoing investigation and the potential scope of the breach, but further details regarding the specific content accessed and the ultimate motives of the attackers remain unclear.
SEC Disclosure Requirements and Timeline
The Microsoft disclosure coincides with a recent change in U.S. regulations. A new rule implemented by the Securities and Exchange Commission (SEC) requires publicly traded companies to disclose security breaches that could potentially impact their business operations within four days unless a national security waiver is obtained.
Microsoft’s regulatory filing, made on a Friday, adheres to this timeline. They stated that “as of the date of this filing, the incident has not had a material impact” on their business operations. However, they acknowledge the ongoing investigation and haven’t definitively ruled out any potential future financial impact.
Technical Details of the Breach
The filing reveals that the hackers responsible for the breach are believed to be affiliated with Russia’s SVR foreign intelligence agency. They gained initial access by exploiting a “legacy” test account, suggesting potential vulnerabilities in outdated systems. Using this initial foothold, they escalated their privileges and accessed the email accounts of senior leadership and other personnel.
The specific technique employed by the hackers is known as “password spraying.” This method involves attempting to log in to multiple accounts using a single, common password. Microsoft previously reported similar tactics used by the same hacking group in August 2023, where they attempted to steal credentials from multiple organizations through Microsoft Teams chats.
Microsoft's Response and Reassurance
Microsoft emphasizes that the attack did not exploit any vulnerabilities in their products or services. They also assure customers that there is currently no evidence of hackers gaining access to customer environments, production systems, source code, or AI systems. Any future actions required by customers will be communicated directly by Microsoft.
Background on the Hacking Group
Microsoft identifies the hacking group responsible for the attack as “Midnight Blizzard,” while previously referring to them as “Nobelium” before a naming system update in 2023. Cybersecurity firm Mandiant, owned by Google, uses the name “Cozy Bear” to identify this same group.
In a 2021 blog post, Microsoft described a previous large-scale attack attributed to the same group, calling it “the most sophisticated nation-state attack in history.” This attack, known as the SolarWinds hack, compromised numerous entities, including U.S. government agencies, private companies, and think tanks.
The primary focus of the SVR, the agency believed to be behind the current Microsoft breach, is intelligence gathering. Their targets typically include governments, diplomats, think tanks, and IT service providers in the United States and Europe.
