Microsoft has officially acknowledged that Russian cyber spies, known as Midnight Blizzard, have infiltrated their internal systems. The breach, which is still ongoing, has resulted in the theft of source code and unauthorized access to internal systems.
Details of the Breach
In an updated filing with the US Securities and Exchange Commission (SEC), Microsoft has provided additional information about the security breach, which was initially disclosed in January.
Midnight Blizzard, also known as Cozy Bear and APT29, is a Kremlin-backed group that was previously implicated in the SolarWinds supply chain attack. The group has been found snooping on a small percentage of Microsoft’s corporate email accounts, stealing internal messages and files from the leadership team, as well as cybersecurity and legal employees.
While Microsoft initially stated in January that there was no evidence of the threat actor accessing customer environments, production systems, source code, or AI systems, this has since changed.
Recent evidence suggests that Midnight Blizzard is using information initially exfiltrated from Microsoft’s corporate email systems to gain, or attempt to gain unauthorized access. This includes access to some of the company’s source code repositories and internal systems.
Customer-Facing Systems Remain Safe
Despite these developments, Microsoft maintains that there is no evidence so far that the Russian criminals have compromised any customer-facing systems. However, this is not due to a lack of effort on the part of Midnight Blizzard.
Microsoft has admitted that Midnight Blizzard is attempting to use various types of secrets it has discovered. Some of these secrets were shared between customers and Microsoft via email. As these secrets are discovered in the exfiltrated email, Microsoft has been reaching out to these customers to assist them in taking mitigating measures.
Ongoing Attempts at Unauthorized Access
The break-in, which began in November, used password spray attacks to compromise an internal account that did not have multi-factor authentication enabled. The spies are still attempting to access additional Microsoft accounts, and the volume of password sprays increased ten-fold in February compared to January.
According to Microsoft’s updated SEC Form 8-K, the security breach has not had any financial impact on operations so far.
Industry Reactions
Adam Meyers, the head of counter-adversary operations at CrowdStrike, has noted that Microsoft’s recent 8-K filing raises more questions for customers and the industry than it answers. He has also stated that this breach highlights the broader authentication issues with Azure, Microsoft’s cloud service.
Meyers, who had previously criticized Microsoft soon after the email intrusion was disclosed in January, pointed out that Microsoft has been breached by both China and Russia in the past year. The latter incident was enabled by sensitive Microsoft key material exfiltrated from within Microsoft’s sensitive systems.
This latest disclosure introduces uncertainty about Microsoft’s ability to evict Cozy Bear, serving as a stark reminder of the deeper issues seemingly affecting Azure’s authentication and security mechanisms.
Global Implications
In a year where 42 percent of the world’s population is electing new leadership, there are growing concerns about how potential access to Microsoft’s sensitive data and AI models may be misused by hostile nation states. This concern is particularly relevant given the upcoming elections across the globe in 2024.
Ongoing Investigation
Microsoft, also known as Redmond, has stated that its investigation is ongoing and has promised to share updates as they become available.
Characteristics of the Attack
The ongoing attack by Midnight Blizzard is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. The group may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This situation reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.