Microsoft has signalled changes in its approach to security after a nation-state attack exposed a number of corporate email accounts to Russia-linked hackers.
On 12 January, Microsoft’s security team detected an attack on its corporate systems led by prominent Russia-affiliated threat actor Midnight Blizzard.
The Russia-based outfit – which is widely attributed as the Foreign Intelligence Service of the Russian Federation (SVR) – has been seen conducting espionage of foreign interests since early 2018.
Some of Midnight Blizzard’s biggest claims-to-fame include the historical 2021 supply chain attack at networking Solarwinds, as well as having known connections to SVR-linked hacker gang Cozy Bear – which notoriously meddled in the US 2016 presidential election.
According to the Microsoft Security and Response Centre (MSRC), Midnight Blizzard began its assault in late November 2023, when it used a password spray attack to compromise a legacy, non-production, test tenant account.
Once the threat actor established a foothold via the compromised account, it leveraged the account’s permissions to access a “very small percentage” of Microsoft corporate email accounts, including members of the company’s senior leadership team.
Other impacted accounts belonged to employees in Microsoft’s cyber security and legal functions, with the group managing to exfiltrate “some emails and attached documents” through its attack.
MSRC said Midnight Blizzard initially sought to procure information related to the threat actor itself, but has also been found targeting other organisations.
“As part of our usual notification processes, we have begun notifying these targeted organisations,” said Microsoft.
“It’s important to note that this investigation is still ongoing, and we will continue to provide details as appropriate.”
Last week, major IT company Hewlett-Packard Enterprise (HPE) also disclosed it was victim to an attack from Midnight Blizzard – during which hackers gained access to the company’s Microsoft Office 365 email environment and “exfiltrated data” from a “small percentage of HPE mailboxes”.
HPE disclosed the incident in a filing with the US Securities and Exchange Commission, stating it was “notified” of the suspected nation-state actor activity on 12 December, and that it believed its mailboxes were accessed as early as May 2023.
According to CRN, HPE said it does not know if its Midnight Blizzard breach was related to the recent incident disclosed by Microsoft.
How did the attack happen?
While detailing the recent attack on its systems, Microsoft explained Midnight Blizzard utilises a “variety of initial access, lateral movement, and persistence techniques” to harvest information in support of Russian foreign policy interests.
The espionage group often uses stolen credentials or supply chain attacks to gain initial access, before running further exploits to achieve lateral movement across a targeted cloud.
The group’s methods are notably sophisticated, with its arguable bread-and-butter being its aptitude for exploiting OAuth – a standard which allows websites and applications to access resources hosted by other web apps on a user’s behalf.
“Threat actors like Midnight Blizzard compromise user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity,” said Microsoft.
“The misuse of OAuth also enables threat actors to maintain access to applications, even if they lose access to the initially compromised account.”
In Microsoft’s case – the group utilised a password spray attack against an account which shockingly did not have multi-factor authentication (MFA) enabled.
Microsoft admitted its lack of MFA in this attack was a significant issue, stating “if the same team were to deploy the legacy tenant today” Microsoft policy and workflows would ensure MFA was in place.
The tech giant further signalled changes to its security practices following the incident, particularly given the significant threat posed by nation-state actors.
“Given the reality of threat actors that are well resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk,” said Microsoft.
“For Microsoft, this incident has highlighted the urgent need to move even faster.”
