Microsoft says state-backed Russian hackers accessed company emails: NPR

BOSTON — Russian state-backed hackers breached Microsoft’s email system and accessed the accounts of members of the company’s leadership team, as well as the accounts of employees on its cybersecurity and legal teams, the company said Friday.

Microsoft said in a blog post that the hack began in late November and was discovered on January 12. It said the same highly skilled Russian hacking team behind the SolarWinds hack was responsible.

The company said that a “very small percentage” of Microsoft accounts were accessed, and some emails and attached documents were stolen.

A company spokesperson said Microsoft had no immediate comment on how many or how many members of its senior leadership had their email accounts hacked. In a regulatory filing on Friday, Microsoft said it was able to remove hackers’ access to the compromised accounts on or around January 13.

“We are in the process of notifying employees whose email has been accessed,” Microsoft said, adding that its investigations indicate that the hackers were initially targeting email accounts to obtain information related to their activities.

The SEC requires companies to quickly disclose violations

Microsoft’s revelation comes a month after a new US Securities and Exchange Commission rule went into effect, forcing publicly traded companies to disclose violations that could negatively impact their businesses. It gives them four days to do so unless they obtain a national security waiver.

In a regulatory filing with the Securities and Exchange Commission on Friday, Microsoft said that “as of the date of this filing, the incident has not had a material impact” on its operations. It added, however, that it had not “determined whether the incident was reasonably likely to have a material impact” on its finances.

Microsoft, which is headquartered in Redmond, Washington, said hackers from Russia’s foreign intelligence agency SVR gained access by compromising credentials in an “old” test account, suggesting it contained outdated code. After gaining a foothold, they used account permissions to access the accounts of the senior leadership team and others. The brute force attack method used by hackers is called “password spraying.”

The threat actor uses one shared password to attempt to log in to multiple accounts. In a blog post in August, Microsoft described how its threat intelligence team discovered that the same Russian hacking team used this technique to try to steal credentials from at least 40 different global organizations through Microsoft Teams chats.

“The attack was not the result of a security vulnerability in Microsoft products or services,” the company said in the blog. “To date, there is no evidence that the threat actor has any access to customer environments, production systems, source code, or AI systems. We will notify customers if action is needed.”

Microsoft calls the hacking unit Midnight Blizzard. Before the threat actor designation was renewed last year, the group was called Nobelium. Cybersecurity company Mandiant, which is owned by Google, calls the group Cozy Bear.

In a 2021 blog post, Microsoft described the SolarWinds hacking campaign as “the most sophisticated attack on a nation-state in history.” In addition to US government agencies, including the Departments of Justice and Treasury, more than 100 private companies and research institutions were hacked, including software and communications providers.

The main focus of the SVR is intelligence gathering. It primarily targets governments, diplomats, think tanks, and IT service providers in the United States and Europe.