Microsoft has confirmed that a sophisticated Russian hacking group, known within security circles as Midnight Blizzard, APT29, or Nobelium, infiltrated its systems and breached email accounts belonging to the company's highest-ranked officials. The event is an extension of the cyberespionage activities conducted by this group, which is closely associated with the Russian Foreign Intelligence Service (SVR).
HPE Hit by Security Incident
Similarly, Hewlett Packard Enterprise (HPE) disclosed that it had fallen victim to the same group, with the attackers gaining unauthorized access to HPE's Microsoft Office 365 email environment and extracting sensitive data since May 2023. The precise method by which Microsoft informed HPE of the breach remains undisclosed, though speculations point towards potential advice given as part of a notification process extended to other organizations targeted by Midnight Blizzard.
Original Breach and Investigation
Upon discovering the breach on January 12, 2024, Microsoft's cybersecurity team promptly launched an investigation to assess the damage and scope of the intrusion. The investigation revealed that the spear-phishing campaign began in late November 2023 and was particularly aimed at gathering intelligence about Midnight Blizzard itself.
Employees whose email accounts were compromised are currently being notified. Critical among those affected are members of Microsoft's senior leadership, along with employees in vital departments such as cybersecurity and legal. While the exfiltration of data pertained to internal communications, Microsoft has expressed confidence that customer accounts have remained unaffected by this incident.
Understanding the gravity of these breaches, Microsoft shared the techniques used by the hackers, detailing how they leveraged residential proxies alongside “password spraying” to access a critical test account not safeguarded by Multi-Factor Authentication (MFA). This account's susceptibility allowed hackers to create malicious OAuth applications, which further enabled them to reach additional corporate mailboxes.
The tech giant has not only dissected these methods but also offered extensive detection and hunting suggestions to assist cybersecurity professionals in recognizing and thwarting Midnight Blizzard's tactics. Through studying Exchange Web Services (EWS) logs and identifying the threat group's known behaviors, Microsoft aims to empower organizations against similar state-sponsored attacks.