Microsoft officials say the Russian threat actors who compromised a number of interna Microsoft email accounts and stole sensitive company information last fall have continued to target Microsoft systems, using the data they obtained in the initial attacks to gain access to source code repositories, among other things.
In a new filing with the Securities and Exchange Commission Microsoft said the attackers–which Microsoft identifies as Midnight Blizzard, a group affiliated with the Russian Foreign Intelligence Service–have been using a high volume of password spraying attacks and other methods to attempt to gain access to Microsoft internal systems.
“The threat actor’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. Our active investigations of the threat actor’s activities are ongoing, findings of our investigations will continue to evolve, and further unauthorized access may occur,” the filing says.
The initial attack began in November and when Microsoft disclosed it in January, the company said that the attackers, also known as APT29 and Cozy Bear, had specifically targeted high-value people inside the company, including senior leaders and people in the security organization.
“Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” Microsoft said at the time of the initial disclosure in January.
The compromise of Microsoft internal systems represents a serious concern not just for the company itself, but also for its customers. In the initial compromise, the Midnight Blizzard attackers stole sensitive information that it is now using to further tailor its attacks on MIcrosoft and potentially some customers.
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft."
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024,” the Microsoft Security Response Team said in a new blog Friday.
“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”
Midnight Blizzard is one piece of the Russian offensive cybersecurity apparatus and is one of the more active and capable threat groups in operation right now. The group is responsible for the SolarWinds compromise in 2020 and has targeted energy companies, government agencies, and technology companies in the past. Two weeks ago, the Cybersecurity and Infrastructure Security Agency warned that the group was shifting some of its tactics to targeting cloud providers and applications.
“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment. They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves,” the CISA advisory says.
Microsoft said its investigation of the MIdnight Blizzard attacks is still ongoing and further findings may be forthcoming.