Microsoft has confirmed that the Russian cyberespionage group known as Midnight Blizzard, also recognized as Cozy Bear and APT29, responsible for the infamous SolarWinds supply chain attack, has not only infiltrated executive email accounts but has also accessed and stolen source code. This ongoing cyber intrusion, originally disclosed to the public in January, marks a significant escalation in the group's operations against the Redmond-based technology giant. Initially, Microsoft reported the theft of internal messages and files from a small percentage of corporate email accounts, including those of its leadership, cybersecurity, and legal staff. These accounts contained sensitive communications between customers and Microsoft, but at that time, it was believed that customer environments, production systems, AI systems, or source code were not compromised.
Escalation of the Attack
As the investigation into the breach progresses, Microsoft has unearthed evidence that Midnight Blizzard is leveraging information initially extracted from Microsoft's corporate email systems to attempt further unauthorized access to various internal resources. According to a recent security update and a filing with the US Securities and Exchange Commission, these efforts have now successfully penetrated some of the company's source code repositories. Despite these serious developments, Microsoft has noted that there appears to be no compromise of any customer-facing systems thus far. The cybersecurity team at Microsoft has identified an increase in password spray attacks, a method used by the attackers to gain entry, noting a ten-fold rise in such activity from January to February. The lapse in security was partly due to the lack of multi-factor authentication on a corporate account.
Mitigation and Response
Microsoft's response to this advanced persistent threat highlights the sophisticated and coordinated nature of nation-state cyberattacks, emphasizing the global challenge of defending against such adversaries. The company assures that the breach has not financially impacted its operations. However, it remains vigilant in its investigation and promises to provide updates on the situation. As part of its immediate measures, Microsoft is reaching out to customers potentially affected by the breach to assist in mitigating any risks. The incident underscores the importance of robust cybersecurity measures, including the essential role of multi-factor authentication in protecting against such sophisticated cyber threats.
