Microsoft Corp. said today that it was targeted by Russian-linked hacking group Midnight Blizzard using information that the attackers had stolen from the company in a previous attack that struck the company’s email systems earlier this year.

Midnight Blizzard, also known as Cozy Bear and Nobelium, is the same gang known for the hack of SolarWinds Worldwide LLC in 2020. In the aftermath of the attack, Microsoft warned its customers that the hacking group had begun targeting its customers with “password spraying” and brute-force attacks.

In the most recent attacks, Microsoft disclosed that the company detected that Midnight Blizzard infiltrated its systems on Jan. 12 and shared that information on Jan. 19. According to the company, the attackers gained access to email systems, spied on executives and stole documents attached to those emails.

Today, Microsoft revealed that Midnight Blizzard also gained access to some internal systems and code repositories. However, the company stressed that there was no evidence found that the hacking group had any access to Microsoft-hosted customer-facing systems.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” Microsoft said in a blog post. “It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”

Although the company did not reveal details of what secrets were compromised from stolen emails, they are potentially credentials, application programming keys and other authentication methods. Often email is used to exchange authentication details between partners when setting up accounts for developers and engineers, which would leave customers open to attack if that information were revealed to malicious third parties.

Microsoft said that the hacking group has increased the volume of some types of its attacks, such as password sprays by as much as 10-fold in February compared to the volume seen in January. A password spray attack works by attempting the same password on multiple accounts before moving on to try to use a new one. This is done to avoid using too many passwords against a single account to avoid being locked out. Security experts warn users to avoid using simple passwords and reusing passwords across different accounts to avoid being compromised by this sort of attack.

The company said that it categorizes Midnight Blizzard as a significant, sustained ongoing threat that reflects the actions of a nation-state attack. “It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so,” the company said.

Microsoft said that because the hacking group is considered a persistent threat, the investigation is still ongoing. It will continue to reveal more details as they come to light and share information with authorities.

 Image: Pixabay