Microsoft has disclosed that a Russian government-backed hacking group, which infiltrated its corporate network and spied on senior executives, has also stolen source code and may still be exploring its internal systems.
The software giant described the situation as an “ongoing attack,” noting that the hacking group is leveraging information initially obtained from corporate email systems to gain unauthorized access. This included access to some of the company’s source code repositories and internal systems. However, Microsoft did not provide specific details on which systems were breached or the extent of the source code theft.
As of now, Microsoft assures that its customer-facing systems hosted by the company have not been compromised.
Midnight Blizzard’s Strategy
The hacking group, known as Midnight Blizzard, is still attempting to exploit shared secrets found in exfiltrated emails. Microsoft has been reaching out to affected customers to assist them in taking mitigating measures. The company warned that Midnight Blizzard has intensified some aspects of the attack, such as password sprays, which have increased by as much as tenfold in February compared to January 2024.
Unprecedented Global Threat Landscape
Microsoft highlighted the evolving threat landscape, especially in sophisticated nation-state attacks. The company suggests that the hackers may be using the stolen information to plan and enhance future attacks.
Previous Activity and Detection
This development comes after Midnight Blizzard was recently discovered within Microsoft’s network spying on emails and attachments from senior executives. The Advanced Persistent Threat (APT) group utilized a password spray attack to compromise a legacy non-production test tenant account. This breach allowed them to access a small percentage of Microsoft corporate email accounts, leading to the exfiltration of some emails and documents.
Timeline of the Attack
Microsoft’s security team identified the nation-state attack on its corporate systems on January 12, 2024, tracing the initial infection back to November 2023.
Previous Incidents
This incident follows a similar hacking event where Chinese cyber actors forged authentication tokens using a stolen Azure AD enterprise signing key to access M365 email inboxes. This breach affected around 25 government organizations in the United States and is under investigation by the CISA Cyber Security Review Board (CSRB).
Midnight Blizzard’s History
Midnight Blizzard, also known as Nobelium (APT29 and Cozy Bear), was previously attributed to the SolarWinds supply chain attack in 2020. This massive supply chain attack targeted IT management solutions provider SolarWinds.
This ongoing saga highlights the persistent threats posed by sophisticated hacking groups and underscores the challenges faced by tech companies in securing their systems against such attacks.