Microsoft has shared additional details on the hacker attack where a Russian government-backed group tracked as Midnight Blizzard compromised Microsoft’s corporate systems and gained access to the email accounts of the company’s employees, including senior staff, and “exfiltrated some emails and attached documents.”
In an update posted last week, Microsoft said that the threat actor, also known as APT29, Cozy Bear and Nobelium, used the stolen data to access some of the company’s source code repositories and internal systems. At present, there’s no evidence that customer systems were affected by the incident.
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” Microsoft noted in the blog post. “Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.”
Midnight Blizzard, notably, is the same threat actor believed to be responsible for the infamous SolarWinds breach back in 2020. The group has previously targeted the United States and NATO countries. In 2022, the threat actor has focused on targeting organizations responsible for influencing and crafting the foreign policy of NATO countries. The group has been observed using newer tactics that involve abusing various Microsoft 365 features in order to evade detection.
Last month, the Five Eyes (FVEY) alliance released a joint cybersecurity advisory highlighting new strategies employed by Midnight Blizzard, more specifically, its methods to infiltrate organizations that have migrated to cloud-based infrastructures.
