Getty Images
Russian state hackers exploited a weak password to penetrate Microsoft’s network and accessed emails and documents belonging to senior executives and employees working on its security and legal teams, Microsoft said late Friday.
The attack, which Microsoft attributed to a Kremlin-backed hacking group it tracks called Midnight Blizzard, is at least the second time in as many years that failure to follow basic security hygiene has led to a breach that could harm customers. One paragraph of Friday’s disclosure, which was filed with the Securities and Exchange Commission, was startling:
Starting in late November 2023, a threat actor used a password spraying attack to compromise an old, non-production test tenant account and gain a foothold, and then used the account permissions to access a very small percentage of Microsoft email accounts, including members of our senior leadership team and employees In our cybersecurity functions, legal functions, etc., they leaked some emails and attached documents. The investigation indicates that they were initially targeting email accounts to obtain information related to Midnight Blizzard itself. We are in the process of notifying employees whose email has been accessed.
Microsoft did not discover the hack until January 12, exactly a week before the disclosure on Friday. Microsoft’s account raises the possibility that Russian hackers may have uninterrupted access to accounts for up to two months.
A translation of the 93 words quoted above: The device inside the Microsoft network was protected with a weak password with no form of two-factor authentication used. The rival Russian group managed to guess it by filling it with previously hacked or commonly used passwords until they finally arrived at the correct password. The threat actor then accessed the account, stating that two-factor authentication (2FA) had not been used or the protection had been bypassed in some way.
Furthermore, the “Legacy Non-Production Tenant Account” was configured in some way so that Midnight Blizzard could access and access some of the company’s oldest and most sensitive employee accounts.
As Steve Bellovin, a computer science professor and affiliated professor of law at Columbia University with decades of experience in cybersecurity, wrote on Mastodon:
There are a lot of wonderful monuments here. A successful password spraying attack indicates a lack of 2FA and either reused or weak passwords. Accessing email accounts belonging to the “Senior Leadership…Cybersecurity and Legal” teams with only “Test Tenant Account” permissions indicates that someone gave this test account incredible privileges. Why? Why wasn’t it removed when the test finished? I also note that it took Microsoft about seven weeks to discover the attack.
While Microsoft said it was not aware of any evidence that Midnight Blizzard gained access to customer environments, production systems, source code or AI systems, some researchers expressed doubts, particularly about whether the Microsoft 365 service was vulnerable to the hack. Similar attack techniques. One of the researchers was Kevin Beaumont, who has a long career in cybersecurity that included a stint at Microsoft. He wrote on LinkedIn:
Microsoft employees use Microsoft 365 for email. SEC filings and blogs without details on Friday night are great.. but need to be followed up with actual details. The days of Microsoft setting up tents, codewords, CELA stuff, and pretending MSTIC sees everything (threat actors own Macs too) are over, and it needs to make a radical technical and cultural shift to maintain trust.
CELA is an acronym for Corporate, External and Legal Affairs, a group within Microsoft that helps draft disclosures. MSTIC stands for Microsoft Threat Intelligence Center.