State-sponsored Russian hackers have penetrated Microsoft’s corporate email system, gaining access to email accounts belonging to members of the company’s leadership team, as well as cybersecurity and legal personnel. This cyber intrusion occurred between late November and January 12th and is believed to be the work of the same sophisticated hacking group responsible for the SolarWinds breach. Although only a small percentage of Microsoft accounts were compromised, some emails and attached documents were stolen. The impact of this breach on Microsoft’s operations and finances is yet to be determined.
Microsoft announced in a blog post that it had become aware of the breach on January 12th, after it had been in progress for over a month. The company stated that the Russian hacking team responsible for the SolarWinds breach, known as Midnight Blizzard or Cozy Bear, was behind this attack as well. The exact number and identities of the Microsoft leadership team members whose email accounts were breached have not been disclosed. However, Microsoft did mention that a “very small percentage” of corporate accounts were compromised.
Upon discovering the breach, Microsoft took immediate action to remove the hackers’ access to the compromised accounts. The company is currently in the process of notifying employees whose email accounts were accessed. It is noteworthy that Microsoft has not found any evidence so far to indicate that the hackers had access to customer environments, production systems, source code, or AI systems. This suggests that the attackers’ focus was primarily on gathering intelligence rather than causing extensive damage.
Microsoft’s disclosure of the breach is in compliance with the new U.S. Securities and Exchange Commission rule that requires companies to promptly report breaches that could negatively impact their operations. As of the date of Microsoft’s regulatory filing, it reported no material impact on its operations. However, the financial impact has yet to be determined. Microsoft’s cooperation with authorities and its transparency in the aftermath of the breach will play a significant role in assessing any potential penalties and reputational damage.
The Russian hackers gained access to Microsoft’s email system by compromising credentials on a “legacy” test account that had outdated code. This entry point allowed them to conduct a password spraying attack, which involves using a single common password to attempt unauthorized access to multiple accounts. Microsoft stresses that this attack was not the result of a vulnerability in their products or services, indicating that the responsibility lies with weak password practices rather than any security flaws on their part.
The hacking group responsible for the breach, Midnight Blizzard or Cozy Bear, is the same group behind the SolarWinds attack. The SolarWinds breach was described as the most sophisticated nation-state attack in history, targeting various U.S. government agencies, private companies, and think tanks. Microsoft’s connection to this attack highlights the persistent and increasingly brazen nature of state-sponsored cyber espionage. The main targets of the Russian SVR foreign intelligence agency, responsible for these attacks, are governments, diplomats, think tanks, and IT service providers in the United States and Europe.
The breach of Microsoft’s email system by state-backed Russian hackers highlights the ongoing threat posed by sophisticated cyber adversaries. Microsoft’s swift response and mitigation measures demonstrate its commitment to protecting its users’ data and systems. As investigations continue, the impact on Microsoft’s finances and reputation remains uncertain. This incident serves as a reminder for organizations of the importance of robust cybersecurity practices to safeguard sensitive information from determined threat actors.
Leave a Reply