Microsoft recently announced that a Russian cyber group infiltrated the email accounts of some of its top executives. The breach, which occurred on January 12, was not made public until the company filed a regulatory disclosure on a Friday afternoon.
The Intrusion and Microsoft’s Response
In a detailed blog post, the Microsoft Security Response Center confirmed that the security breach had been addressed. The Russian state-sponsored group, known as Midnight Blizzard, was identified as the perpetrator behind the cyber assault on Microsoft’s corporate network.
Unusual Intent: Hackers Targeted Their Own Intel
The attackers’ motives were unconventional as they did not target customer data or sensitive business intelligence. Instead, their goal appeared to be gathering information on what Microsoft might have known about Midnight Blizzard’s operations. Historical patterns suggest that this group, also recognized as Nobelium, Cozy Bear, or APT 29, has previously engaged in attacks with similar self-referential objectives.
Microsoft’s report acknowledges that the hackers accessed a minimal amount of the company’s email accounts, which included those of high-ranking officials and staff in the legal and cybersecurity divisions. Following the detection of the breach, Microsoft swiftly launched an investigation, disrupted the hack, and took steps to prevent further unauthorized access.
Method of Attack: Exploiting a Legacy Account
The cybercriminals executed a “password spray attack” to compromise a legacy account, which then allowed them to exploit permissions and access additional Microsoft email accounts. Microsoft has not disclosed how many accounts were ultimately affected or the specific details of the information accessed.
Moving forward, Microsoft has committed to applying stringent security measures to all its legacy systems and internal processes, despite potential disruptions to business operations. This initiative is part of a broader strategy aimed at enhancing the company’s cybersecurity defenses.