Microsoft logo at office building showing Russian hackers accessed source code

Microsoft: Russian Hackers Gained Access to Source Code Repositories During January Attack

An update from Microsoft on the January attack by Russian hackers indicates that it was more damaging than originally reported, with the Midnight Blizzard group accessing “some” of the company’s internal systems and source code.

Microsoft says that there is still no evidence that customer-facing systems have been compromised, but that “secrets” that were shared between customers and the company in email exchanges have been exposed. The Russian hackers are apparently leveraging those secrets as part of attacks, and the company notes password spray attempts are up by very large amounts.

Russian hackers had greater access to internal company information than originally disclosed

The original report from Microsoft (made public on January 19) was that the Russian hackers had breached internal email systems using a password spray attack and had appeared to be seeking whatever information Redmond’s security team was holding on them. The company assured customers that the attackers had no access to their accounts and had not breached internal production environments or stolen source code.

That last bit appears to have been a premature analysis. Microsoft is now saying that the Russian hackers accessed “some” source code. And while customer-facing systems were not breached, the hackers accessed some confidential emails exchanged between Microsoft’s corporate email accounts and outside parties.

The initial assessment that the Russian hackers were only scouting for intelligence on themselves also appears to have been incorrect. Microsoft now says that the information Midnight Blizzard stole is likely feeding a major uptick in password spray attempts by the group. The company says that there was a “large” spike in January after the breach was discovered, followed by a ten-fold increase in attempts in February.

Microsoft did not get into detail about the source code that was stolen, other than to indicate there may have been “secrets” in it that the Russian hackers are now putting to work in their attacks. The company said that it has responded to the incident by implementing enhanced security controls, detections, and monitoring and increasing security investments.

Source code adds to ongoing questions about Microsoft breach

Midnight Blizzard is just a new name for the attackers more commonly called APT29 or Cozy Bear, the Russian hackers that have a long resume that ranges from election interference in multiple countries to the SolarWinds breach of late 2020. The group is thought to be directly integrated with Russia’s foreign intelligence service (SVR), raising serious concerns about exactly what “secrets” they purloined from Microsoft’s source code.

The group has attacked a broad range of targets during its time, but has shown the greatest degree of interest in breaching rival governments and the think tanks that contribute to much of their policy. As was demonstrated with SolarWinds, and now Microsoft, it often targets major IT service providers as a means of launching downstream attacks on their clients. The SolarWinds breach was first spotted by security service FireEye, which noticed that the Russian hackers were exfiltrating some of its own internal hacking tools.

Midnight Blizzard also has a long history of targeting Microsoft, which was another of their victims during the SolarWinds attack. That earlier breach also involved the theft of source code, in that case for what the company described as a “limited number” of Azure, Exchange and Intune components. The Russian hackers would return in 2021 to compromise a corporate employee account, which gave them access to the company’s customer service portal.

So while it’s not a surprise that the Russian hackers are going after Microsoft, the success they are having has raised some serious questions. The original breach, which was reported in January but actually began in November of last year, involved the gang simply hitting upon some sort of deprecated test account that had access to an OAuth application that in turn granted wide-ranging access to the company’s corporate network. There has yet to be a good explanation as to why that account existed and had that level of access in the first place, and how something that potentially dangerous was overlooked for so long.

The concerns about Microsoft are not limited to the actions of the Russian hackers. Chinese state-backed hackers have had several incursions into the company over the past few years, the most recent of which was a mid-2023 incident that involved the theft of an enterprise signing key. That incident did not involve the loss of source code, but did similarly allow the attackers to rampage through Microsoft 365 email inboxes.

Amit Yoran, CEO at Tenable, believes that this string of events has done irreparable damage to Microsoft’s reputation for security: “Microsoft’s breach by Midnight Blizzard is a strategic blow. By its own admission, Microsoft’s source code and ‘other secrets’ have been compromised. Midnight Blizzard isn’t some small-time criminal gang. They are a highly professional, Russian-backed outfit that fully understands the value of the data they’ve exposed and how to best use it to inflict maximum harm. Given Russia’s relationship with China and other strategic adversaries, the consequences get very troubling, very quickly. Microsoft’s ubiquity requires a much higher level of responsibility and transparency than what they’ve consistently shown. Even now they’re not sharing the full truth – for instance we don’t yet know which source code has been compromised. We should all be furious that this keeps happening. These breaches aren’t isolated from each other and Microsoft’s shady security practices and misleading statements purposely obfuscate the whole truth.”

Tim Callan, Chief Experience Officer at Sectigo, notes that most of these actions have not involved software exploits but rather have relied on relatively simple credential compromise: “It’s worth noting that this exploit originates with the same basic credentials compromises that we see in nearly all attacks of this nature. Once the attacker has inappropriate access, a whole host of additional malicious activity becomes possible. Stronger authentication methods, including PKI-based authentication, are our single most powerful defense against these breaches.”

John Bambenek, President at Bambenek Consulting, adds: “Whenever something like source code is stolen, incident responders have to start thinking about how that information can be used to attack the organization and customers. Ironically enough, secrets being part of the data being stolen makes this work a little easier. Attackers naturally gravitate towards credentials so defenders can put more strict monitoring on the underlying accounts to look for misuse (after rotating the keys or passwords, of course). That seems to be what’s driving the additional insights Microsoft provided this morning. However, unlike traditional expulsion events in IR where you simply close all the doors opened by an attacker, source code and secret theft requires ongoing monitoring, remediation, and response months after the breach was mitigated.”

And Omri Weinberg, Co-founder and CRO at DoControl, sees this as a reminder that even the biggest targets in the world can experience disconnect between executive decision-making and security needs: “Unfortunately, these things will never end and history always repeats itself. Companies, and mostly management teams or boards, need to understand that they must invest more money in their security posture. It’s a never-ending chess game in which you always need to be one step ahead of the attacker.”