Microsoft disclosed that state-backed Russian hackers infiltrated its corporate email system, gaining unauthorized access to the accounts of members of the company’s leadership team, as well as those of employees in its cybersecurity and legal departments. According to a blog post by Microsoft, the intrusion occurred in late November and was not discovered until January 12. The same Russian hacking team responsible for the SolarWinds breach was identified as the perpetrators of this attack.
While Microsoft stated that only a “very small percentage” of corporate accounts were accessed, it acknowledged that some emails and attached documents were stolen. The company was able to remove the hackers’ access from the compromised accounts on or about January 13 and is currently in the process of notifying employees whose email was accessed.
The disclosure comes a month after a new U.S. Securities and Exchange Commission rule took effect, requiring publicly traded companies to disclose breaches that could negatively impact their business within four days, unless they obtain a national security waiver. In its regulatory filing, Microsoft stated that the incident has not had a material impact on its operations as of the date of the filing.
The hackers gained access to Microsoft’s system by compromising credentials on a “legacy” test account, suggesting that outdated code was involved. The attack technique used by the hackers, known as “password spraying,” involved using a single common password to try to log into multiple accounts. This is not the first time the Russian hacking team, known as Midnight Blizzard, has used this technique to target organizations, as Microsoft’s threat-intelligence team previously discovered similar attempts through Microsoft Teams chats.
Microsoft emphasized that the attack was not the result of a vulnerability in their products or services and that there is no evidence that the threat actors had access to customer environments, production systems, source code, or AI systems. The company also stated that it will notify customers if any action is required.
The Russian SVR, which is believed to be behind the attack, primarily focuses on intelligence-gathering and targets governments, diplomats, think tanks, and IT service providers in the U.S. and Europe. The group, previously referred to as Nobelium, was responsible for the SolarWinds hacking campaign, which was described by Microsoft as “the most sophisticated nation-state attack in history.”
Microsoft’s disclosure of the breach comes amid heightened concerns over cybersecurity threats posed by state-backed actors. The company continues to investigate the incident, and its impact on the company’s finances has yet to be determined.
In summary, the breach by state-backed Russian hackers into Microsoft’s corporate email system poses significant security implications for the company, its employees, and potentially its customers. Microsoft is working to contain the damage caused by the breach and ensure that affected employees are notified. The revelation of this breach also underscores the persistent and sophisticated nature of cyber threats posed by nation-state actors.