Russian hackers have managed to breach Microsoft’s corporate email system, accessing the accounts of key members within the leadership team. The intrusion was discovered by Microsoft on Jan. 12, following the attack commencing in late November. The cybercriminals were linked to the SolarWinds breach, which also demonstrated highly skilled Russian hacker involvement.
Microsoft disclosed that only a small percentage of corporate accounts were accessed by the hackers, resulting in the theft of some emails and attached documents. It has been reported that the company has been able to remove the hackers’ access from the compromised accounts, while also moving forward with notifying employees whose email was accessed.
The disclosure from Microsoft has come just a month after the implementation of a new U.S. Securities and Exchange Commission rule, mandating publicly traded companies to report breaches that could negatively impact their business within four days. Microsoft stated in an SEC regulatory filing that, as of the date of the disclosure, the incident had not significantly impacted its operations, nor had it been determined whether the incident was reasonably likely to affect its finances.
The hackers from Russia’s SVR foreign intelligence agency were able to gain access by compromising credentials on a “legacy” test account, indicating the presence of outdated code. Once this foothold was established, they exploited the account’s permissions to access the accounts of the senior leadership team and others, using a technique referred to as “password spraying” to execute a brute-force attack.
The security breach raises concerns about the vulnerability of global organizations to nation-state cyber-attacks, especially as Microsoft noted that the same Russian hacking team had previously attempted to steal credentials from at least 40 different global organizations through Microsoft Teams chats.
Microsoft referred to this hacking unit as Midnight Blizzard and had previously designated it as Nobelium, while the cybersecurity firm Mandiant, owned by Google, identifies the group as APT29. The scope and sophistication of these cyber-attacks underscore the ongoing threat posed by state-sponsored hacking activities and the need for robust cybersecurity defenses.
The incident comes in the aftermath of the SolarWinds hacking campaign, which Microsoft previously characterized as “the most sophisticated nation-state attack in history.” This campaign affected numerous U.S. government agencies, private companies, and think tanks, adding to the growing concern about the extent of state-backed cyber espionage and the potential damage it can inflict.
The primary focus of the SVR is intelligence gathering, with a particular emphasis on targeting governments, diplomats, think tanks, and IT service providers in the U.S. and Europe. These incidents underscore the pervasive and persistent nature of state-sponsored cyber-attacks and the ongoing challenges faced by organizations in safeguarding their digital infrastructure and sensitive data.
The ripple effects of such breaches highlight the potential geopolitical and economic implications, as well as the urgent need for enhanced collaboration and coordinated efforts to combat and mitigate the impact of state-backed cyber threats. As organizations strive to fortify their cybersecurity defenses, the evolving nature of these threats necessitates constant vigilance and proactive measures to mitigate potential vulnerabilities and safeguard critical digital assets.