Microsoft breached by Russian APT behind SolarWinds attack

Microsoft on Friday said a notorious Russian state-sponsored actor it tracks as Midnight Blizzard breached the tech giant's network and accessed "a very small percentage of Microsoft corporate email accounts."

Midnight Blizzard, previously referred to as Nobelium, is best known as the threat actor behind the infamous supply chain attack against SolarWinds in late 2020. The advanced persistent threat group, more commonly known as Cozy Bear and APT29, breached SolarWinds and poisoned software updates for the company's Orion platform with malicious implants, which more than 18,000 customers installed. The hackers used the implants to access hundreds of victims' networks, including U.S. government agencies, Microsoft, Intel, Cisco and others.

Microsoft revealed that Midnight Blizzard struck again two months ago. The company said in a Friday blog post that on Jan. 12, it detected a nation-state attack on corporate systems and took immediate steps to "investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access."

"Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account's permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents," the blog post said.

According to Microsoft, the attack did not occur due to a vulnerability in Microsoft products and services, and there is "no evidence" of customer environments or production systems being accessed. "The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself," the blog post said.

In an 8-K filing with the U.S. Securities and Exchange Commission last week, Microsoft said it was "able to remove the threat actor's access to the email accounts on or about January 13, 2024." The company said it is still investigating the breach and examining the data access by Midnight Blizzard to determine the impact.

TechTarget Editorial asked Microsoft whether any information that could be relevant to customer data was compromised as part of the attack, but the company declined to comment. Instead, a Microsoft spokesperson shared the following statement, which echoed the blog post:

Our security team recently detected an attack on our corporate systems attributed to the Russian state-sponsored actor Midnight Blizzard. We immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. More information is available in our blog.

The blog post also mentioned the Secure Future Initiative, Microsoft's plan announced last fall to promote transparency and improve cybersecurity in both its own organization and across the tech ecosystem. The initiative came in the wake of years of criticism from the cybersecurity industry toward Microsoft's practices surrounding its transparency, patching and communication.

"As we said late last year when we announced Secure Future Initiative (SFI), given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk -- the traditional sort of calculus is simply no longer sufficient," the blog post read. "For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes."

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.