Microsoft office building showing Russian state-sponsored hackers security breach

Russian State Sponsored Hackers Behind Microsoft’s Corporate Email Security Breach

A January 12 security breach at Microsoft that involved the theft of some corporate emails has been attributed to state sponsored hackers, according to a recent blog post by the Microsoft Security Response Center (MSRC).

Microsoft has named “Midnight Blizzard,” an established Russian hacking group also referred to as NOBELIUM and Cozy Bear among other names, as the culprit. The company says that relatively few employee email accounts were accessed, but some of those that were breached were members of the senior leadership team. Midnight Blizzard did not appear to be attempting to penetrate further into the network, rather scouring potentially relevant email accounts for whatever information the company has on them.

Microsoft security breach appeared to be scouting expedition by Russian hackers

State sponsored hackers are generally cautious and patient in how they make use of access to high-level targets, and this incident appeared to be no exception. Microsoft says that the security breach was detected on January 12 and the illicit access cut off the following day, but the incident began with a successful password spray attack in late November of last year. That attack compromised a legacy non-production test tenant account.

Microsoft says that the attackers used this account’s permissions to access a “very small percentage” of corporate email accounts, but that members of the senior leadership team and cybersecurity employees were among them. The group’s interest appeared to be in itself, scouting for whatever information employees might have on it and exfiltrating particular emails and attachments.

Microsoft says that no access of customer environments, production systems, AI or source code took place during the security breach. There are no recommended actions for any customers at this time. A recent Form 8-K filing suggests that there will be no material impact on the company’s operations.

Though Microsoft downplayed the impact of the security breach in its public statement, outspoken critic Sen. Ron Wyden accused Redmond of negligence and called the incident “another wholly avoidable hack” that should prompt the government to re-evaluate its relationship with the company. Wyden has been going after Microsoft in this way since a mid-2023 attack allowed state sponsored hackers from China to access the M365 email accounts of senior government officials.

Multiple recent incidents involving state sponsored hackers spark concern about Microsoft security

Wyden is not the only one raising questions about the security breach, with numerous security analysts wondering why Microsoft would not have enforced multi-factor authentication on an account with this level of permissions in the email system. An even more fundamental question is why some sort of test account outside the production environment would even have this level of access to begin with.

The Russian state sponsored hackers are a formidable foe, but their path into the system seemed to be easier than usual. The group is renowned for its development and use of malware, starting with the “MiniDuke” campaign that first clued the rest of the world in to its existence around 2010. And though cybersecurity news rarely makes it to mainstream reporting, they became a household name as “Cozy Bear” during the 2015-2016 presidential election season in the US as they breached the Pentagon, Democratic National Committee, and assorted think tanks and NGOs. This led to accusations of election meddling, which security researchers believe was directed by the Kremlin.

The Dutch General Intelligence and Security Service has previously infiltrated the group and believes it is tied more closely to the Russian intelligence agencies that state sponsored hackers usually are; surveillance camera footage appears to confirm that the group is under direct command of the Russian Foreign Intelligence Service (SVR). It has not relented in its attacks over the years, having also been fingered for attacks on various Western governments to steal Covid-19 data and for the SUNBURST campaign that victimized SolarWinds in 2020. It is also the central suspect in a prior 2022 security breach of Microsoft that introduced the “MagicWeb” malware.

For its part, Microsoft continues to struggle with keeping state sponsored hackers out of its internal network. It is unsurprising that the company is heavily targeted by the world’s most advanced hackers, but it is surprising that they seem to get in with relatively simple tricks and exploitation of easily remedied oversights. The attack by the Chinese state sponsored hackers in mid-2023 raised hackles as it could have easily been spotted by Microsoft clients by using a standard logging tool, but one that is only included with a “premium” subscription to Microsoft 365 that most of its customers do not otherwise have much of a use for.

Arie Zilberstein, CEO & Co-Founder at Gem Security, notes that in this case the state sponsored hackers only had to successfully pull off a password spray to waltz into long-term access to the communications of the company’s highest-level employees: “Although conducted by a nation-state threat actor, this was not a sophisticated zero-day or supply chain attack – it was a relatively simple password spray attack. Surprisingly, the adversary managed to stay persistent in the cloud infrastructure for more than two months before being discovered. We recommend that organizations implement continuous monitoring of their cloud logs so they can spot anomalous activities before attackers can access and exfiltrate sensitive data.”

Carol Volk, EVP of BullWall, notes that Midnight Blizzard’s relative restraint was the only thing that kept this incident from ending much more badly for them: “Microsoft is lucky this time, as apparently the gang was searching emails to see what MS was saying about them. They could have just as easily stolen or destroyed the data. Attackers can always find a way into a network, so regular air gapped backups and a rapid response ransomware containment system should be part of the complete defensive stack.”

Mark B. Cooper, President & Founder, PKI Solutions, opines that it is time for Microsoft to dispense with passwords entirely: “The continued use of passwords will always lead to more security breaches like Microsoft experienced. This is especially true when test/non-production accounts are expected to be used for a short period of time or won’t be used to access confidential information and are allowed to have weak security controls. A strong identity and encryption standard that covers all identities, temporary or otherwise, is the only way to stem the tide of password breaches. Stronger technology like mutual authentication certificates and security tokens have been around for decades, but it has been traditionally easy to dismiss the complexity or operational challenges as an excuse not to secure an enterprise the way it should.”