UPDATED 18:08 EST / JANUARY 21 2024

SECURITY

Microsoft corporate email accounts hacked by same group behind SolarWinds hack

Microsoft Corp.’s security team has disclosed that Microsoft was targeted by a Russian-linked hacking group and that a small number of email accounts, including those belonging to senior staff, were compromised.

The attack was detected on Jan. 12, with a response plan immediately implemented to disrupt the activity and investigate what had happened. The investigation subsequently identified the threat actor behind the attack as a group Microsoft calls Midnight Blizzard, but is more commonly referred to as Nobelium.

Nobelium is the same group behind the attacks on SolarWinds WorldWide LLC, which started in 2019 but were first detected in December 2020. And the company that traced Nobelium to SolarWinds and issued warnings about the group was Microsoft.

The history is pertinent as to why Microsoft was targeted by the group several years later. The email addresses breached at Microsoft included those belonging to the senior leadership team, legal department and most notably employees in Microsoft’s cybersecurity team.

Microsoft’s investigation found that beginning in late November, the threat actor used a password spray attack to compromise a legacy nonproduction test tenant account to gain a foothold and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts. Password-spraying is a type of cyberattack where an attacker attempts to gain unauthorized access to many accounts by using a few commonly used passwords. Someone at Microsoft clearly was not following advice on using unique passwords.

The investigation also found that Nobelium was looking for information about itself, further suggesting that the attack was targeted and personal.

The Microsoft Security Response Center notes that though some emails and attached documents were exfiltrated, there is no evidence that the threat actor had any access to customer environments, production systems, source code or artificial intelligence systems. Any customer that is found to be affected will be notified by Microsoft.

To Microsoft’s credit, not only was it upfront in disclosing that it was the victim, but it’s also using it as proof of the continued risk posed by threat groups such as Midnight Blizzard/Nobelum.

“Given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient,” the Microsoft security team writes. “For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”

Image: DALL-E 3

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU