A gang of hackers backed by the Russian government broke into Microsoft’s corporate network and stole emails and attachments from senior executives and employees in the legal and cybersecurity departments, the company announced on Friday.
The software giant said that the advanced persistent threat (APT) group Nobelium — also known as Midnight Blizzard, APT29 and Cozy Bear — used a password spray attack to compromise a legacy non-production test customer account and gain a position. The hackers then used the account permissions to access a percentage of Microsoft corporate email accounts. “[Eles] exfiltrated some emails and attached documents,” Microsoft said in a document sent to the US Securities and Exchange Commission (SEC).
The company said its security team detected the attack on its corporate systems last Friday, the 12th, and traced the infection back to November 2023.
Microsoft said members of its senior executive team were among the victims and noted that hackers initially targeted email accounts to obtain information related to the company’s own knowledge of APT’s operation. “The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the group has had access to customer environments, production systems, source code or artificial intelligence (AI) systems. We will notify customers if any action is necessary,” said the software maker.
Microsoft further emphasized that it will act immediately to apply current security standards to its owned legacy systems and internal business processes, “even if these changes may cause disruption to existing business processes.” “The changes will likely cause some level of disruption as we adapt to this new reality.”
“We are continuing our investigation and will take additional actions based on the results of this investigation and will continue to work with appropriate law enforcement authorities and regulators,” Microsoft added.
The discovery of Russian hackers on Microsoft’s network comes less than six months after Chinese cyber spies were caught forging authentication tokens using a stolen Azure AD corporate signing key to break into M365 email inboxes. The hack, which led to the theft of email data from approximately 25 government organizations in the United States, is currently being investigated by the Cyber Security Review Board (CSRB).
Who is Nobelium?
Nobelium is a Russian government-sponsored hacking group believed to be
the hacking division of Russia’s Foreign Intelligence Service SVR), which has been linked to several attacks over the years.
The group gained notoriety when the US government linked them to the 2020 SolarWinds supply chain attack, which also impacted Microsoft at the time. The software maker later confirmed that the SolarWinds attack allowed hackers to steal the source code for a limited number of Azure, Intune and Exchange components. In June 2021, the Nobelium group once again breached a Microsoft corporate account, which allowed it to access customer support tools.
In addition to carrying out cyberespionage and data theft attacks, the hacker group is also known for developing custom malware to use in their attacks.
Microsoft has always been a highly valued target as it controls much of the data and services used by governments and companies around the world. More recently, the company was targeted by Chinese hackers who stole a signing key that allowed them to access the email accounts of two dozen organizations, including US and Western European government agencies.
Sources: CisoAdvisor, Microsoft
