Microsoft has disclosed a breach of its corporate email system by a Russia-sponsored hacking group known as “Midnight Blizzard.” The technology giant confirmed that an intrusion occurred, resulting in unauthorized access to company emails and potentially confidential attachments.
Upon discovering the breach on January 12, 2024, Microsoft's cybersecurity team promptly launched an investigation to assess the damage and scope of the intrusion. The investigation revealed that the spear-phishing campaign began in late November 2023 and was particularly aimed at gathering intelligence about Midnight Blizzard itself.
Employees whose email accounts were compromised are currently being notified. Critical among those affected are members of Microsoft's senior leadership, along with employees in vital departments such as cybersecurity and legal. While the exfiltration of data pertained to internal communications, Microsoft has expressed confidence that customer accounts have remained unaffected by this incident.
Response and Mitigation Measures
Microsoft has committed to immediate action to secure its systems, applying stringent security standards to even the legacy and non-production systems that were exploited in this breach. The password spray attack, a method where attackers use common passwords in hopes of gaining network access, allowed the hackers to infiltrate old nonproduction test accounts, which then provided them access to a fractional segment of Microsoft's email accounts.
Further steps include a thorough review of internal protocols and the strengthening of defenses across the company's digital infrastructure. Microsoft continues collaborating with law enforcement and regulatory bodies as their investigation progresses. The company's Secure Future Initiative, which emphasizes transparency, underpins the decision to publicly disclose information regarding the security lapse.
The group identified as Midnight Blizzard, previously referred to by Microsoft as “Nobelium,” is notorious for its espionage activities, including the significant infiltration of U.S. government agencies in 2021, leveraging various methods to compromise Exchange Online emails. The adoption of the meteorological naming convention is a shift by Microsoft in its approach to classify cyber attack groups.