Midnight Blizzard accessed Microsoft systems, source code

Microsoft on Friday said Midnight Blizzard, a Russian state-sponsored actor that compromised the tech giant starting in November, has accessed Microsoft source code and internal systems.

On Jan. 19, Microsoft said the threat actor it tracks as Midnight Blizzard accessed "a very small percentage of Microsoft corporate email accounts" through a password spraying attack against a legacy non-production test tenant account. The attack began in November and was ultimately detected on Jan. 12. The threat actor that compromised Microsoft, also tracked by researchers as APT29 and Cozy Bear, was responsible for the devastating 2020 supply-chain attack against SolarWinds.

Microsoft said in the initial disclosure on Jan. 19 that compromised email accounts included "Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents." However, the scope of the attack might be larger than initially thought.

In a Friday blog post authored by the Microsoft Security Response Center, the tech giant said that as a result of further investigation, Microsoft found evidence that Midnight Blizzard recently gained access to the company's source code and internal systems.

"In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," the post read. "This has included access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised."

Moreover, Microsoft said the threat actor is attempting to use "secrets" it found during the initial breach. Although Microsoft said there was no evidence that customer-facing systems have been compromised, a number of these "secrets" were exchanged in emails between Microsoft and customers.

"It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures," Microsoft wrote.

A Microsoft spokesperson told TechTarget Editorial that the company was referring to cryptographic secrets, such as passwords, keys and digital certificates. As part of the ongoing threat activity, the blog post said Midnight Blizzard's password spraying attacks increased tenfold last month compared to the activity it observed in January.

Microsoft also filed an 8-K with the SEC alongside the blog post's publishing that includes similar language and information.

It's unclear if any Microsoft customers were breached by Midnight Blizzard and how many customers were potentially affected. It's similarly unclear when Midnight Blizzard used the exfiltrated data to breach the internal systems and what types of source code were accessed in the intrusion. Microsoft declined to comment further.

Microsoft said its investigation is ongoing and warned the threat actor's activity will continue. "Midnight Blizzard's ongoing attack is characterized by a sustained, significant commitment of the threat actor's resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so."

Since the breach was disclosed in January, security vendors and executives have criticized Microsoft on a number of different fronts relating to the attack. Among these criticisms are the fact that the compromised test tenant account had no multifactor authentication enabled. In addition, some argued Microsoft was using occasions such as these to seemingly upsell its own security products.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.