Microsoft revealed on Friday that it was the target of a nation-state attack on the company’s systems that resulted in the theft of emails and attachments from senior executives and other individuals in the company’s cybersecurity and legal departments.
The Windows maker attributed the attack to a Russian Advanced Persistent Threat (APT) group it tracks as Midnight Blizzard (formerly Nobleum), which is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.
It also said it immediately took steps to investigate, disrupt, and mitigate the malicious activity upon discovery on January 12, 2024. The campaign is estimated to have begun in late November 2023.
“The threat actor used a password spraying attack to compromise an old, non-production tenant account and gain a foothold, and then used the account permissions to access a very small percentage of Microsoft email accounts, including members of our senior leadership team and,” Microsoft said. “To our employees in cybersecurity, legal and other functions, they leaked some emails and attached documents.”
Redmond said the nature of the targeting suggested that threat actors were looking to gain access to information about them. It also confirmed that the attack was not the result of any vulnerability in its products and that there is no evidence of adversary access to customer environments, production systems, source code, or AI systems.
However, the computing giant did not reveal how many email accounts were compromised, and what information was accessed, but said it was in the process of notifying employees who were affected as a result of the incident.
The hacking group, which was previously responsible for the high-profile SolarWinds supply chain hack, has targeted Microsoft twice, once in December 2020 to steal source code related to its Azure, Intune, and Exchange components, and a second time to compromise three of its components. Customers in June 2021 via password spraying and brute force attacks.
“This attack highlights the ongoing risk to all organizations from well-resourced nation-state threat actors like Midnight Blizzard,” the Microsoft Security Response Center (MSRC) said.