Microsoft revealed on the 16th that it was the victim of a hack carried out by Russian government spies. Now, a week later, the technology giant has stated that it was not the only target of the spying operation. In a new blog post, the company says that “the same operator has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.”
Microsoft does not make clear, however, how many organizations have been affected by Russian-backed hackers. The software maker identified the hacker group as Midnight Blizzard — also known as Nobelium, APT29 and Cozy Bear. The group is believed to be sponsored by the Russian government and to act as the hacking division of Russia’s Foreign Intelligence Service (SVR), which has been linked to several attacks over the years.
Microsoft said it detected the intrusion on the 12th of this month and later established that the hacking campaign began in late November when hackers used a “password spraying attack” on a legacy system that did not have multi-factor authentication enabled. Password pulverizing occurs when hackers attempt to brute-force access to accounts using more commonly used passwords or a larger list of passwords from previous data breaches.
“The operator tailored its password spraying attacks to a limited number of accounts, using a low number of attempts to avoid detection and avoid account lockouts based on the volume of failures,” Microsoft wrote in its latest blog post. “The threat operator further reduced the likelihood of discovery by launching these attacks from a distributed residential proxy infrastructure. These evasion techniques helped ensure that the actor obfuscated his activity and could persist the attack over time until successful.”
Once hackers gained access to an account on that legacy system, they “used the account’s permissions to access a very small percentage of Microsoft corporate email accounts,” according to Microsoft, which has not yet specified how many email accounts. mail have been compromised.
Last Thursday, the 25th, Hewlett Packard Enterprise (HPE) announced that its email system hosted by Microsoft was hacked by Midnight Blizzard. HPE said it was notified of the breach on December 12. The company said that, according to its own investigation, hackers “accessed and exfiltrated data” from a “small percentage” of HPE mailboxes starting in May 2023.
It’s unclear how or if this breach is linked to the espionage campaign by the hackers who attacked Microsoft, as HPE said its incident was connected to a previous intrusion in which the same hackers exfiltrated “a limited number of SharePoint files ” from your network.
Source: CisoAdvisor
