On Friday, March 8, 2024, Microsoft published an update on what it called a “nation-state attack” detected by the Microsoft Security Team back on January 12 this year. The breach in the company’s corporate email systems was detected seven days after the incident upon which their response process was activated.
Eventually, the perpetrators were identified as Midnight Blizzard, the Russian state-sponsored actor also called NOBELIUM. Microsoft said Midnight Blizzard has recently gained or tried to gain unauthorized access using information exfiltrated from the company’s corporate email systems.
“This has included access to some of the company’s source code repositories and internal systems,” the Windows and Xbox maker said in the update. “To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”
ALSO READ: Over 40 Minutes Of Stellar Blade Gameplay “Demo” Leaked Online
Microsoft said that Midnight Blizzard was trying to use secrets it found in the exfiltrated emails—often shared between the company and customers. It said they are reaching out to “these customers to assist them in taking mitigating measures”.
“Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024,” Microsoft said.
“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so.”
In response to the threats, Microsoft said they have increased their investments in security, cross-enterprise coordination, and mobilization. The Xbox maker said they have also enhanced their ability to defend themselves against persistent threats.
ALSO READ: Opinion: Sweet Baby Inc Detected Is The Kind Of Conversation That Gets Us Nowhere
“Our active investigations of Midnight Blizzard activities are ongoing, and findings of our investigations will continue to evolve,” the Xbox maker concluded the update. “We remain committed to sharing what we learn.”
Microsoft said Midnight Blizzard used password spray to gain access to its systems
In Microsoft’s first publication about the January attack, it said, “The threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts”.
The accounts impacted included those of employees in the company’s cybersecurity department, leadership team, legal team, and other functions. According to the Xbox maker, “The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.”
However, the Xbox maker stressed that the attack was not due to a vulnerability in the company’s product or services—a statement likely made to allay customer fears. At that time Microsoft said there was no evidence that the bad actors accessed “customer environments, production systems, source code, or AI systems”. However, the new information shared by the company now shows that some of the areas earlier thought to be unaffected were affected.
ALSO READ: Deviation Games Closure Impacted Over 100 Employees, Was Working On A Debut IP
In November, the Xbox maker launched the Secure Future Initiative. Announcing the initiative at that time, Microsoft Vice Chair and President Brad Smith said it had become necessary to launch a new response owning to the “speed, scale, and sophistication of cyberattacks”.
“This new initiative will bring together every part of Microsoft to advance cybersecurity protection,” Smith said. “It will have three pillars, focused on AI-based cyber defenses, advances in fundamental software engineering, and advocacy for stronger application of international norms to protect civilians from cyber threats.”
Midnight Blizzard intensified their attacks on Microsoft in November 2023. Their ultimate motives remain unclear.