Microsoft says the Russian ‘Midnight Blizzard’ hacking group recently accessed some of its internal systems and source code repositories using authentication secrets stolen during a January cyberattack.
In January, Microsoft disclosed that Midnight Blizzard (aka NOBELIUM) had breached corporate email servers after conducting a password spray attack that allowed access to a legacy non-production test tenant account.
A later blog post revealed that this test account did not have multi-factor authentication enabled, allowing the threat actors to gain access to breach Microsoft’s systems.
This test tenant account also had access to an OAuth application with elevated access to Microsoft’s corporate environment, allowing the threat actors to access and steal data from corporate mailboxes, including members of Microsoft’s leadership team and employees in the cybersecurity and legal departments.
The company believes the threat actors breached some of these email accounts to learn what Microsoft knew about them.
Midnight Blizzard hacks Microsoft again
Today, Microsoft says that Midnight Blizzard is using secrets found in the stolen data to gain access to some of the company’s systems and source code repositories in recent weeks.
“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” reads a new blog post by the Microsoft Security Response Center.
“This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”
While Microsoft has not explained precisely what these “secrets” include, they are likely authentication tokens, API keys, or credentials.
Microsoft says they have begun contacting customers whose secrets were exposed to the threat actors in stolen emails between them and Microsoft.
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” continued Microsoft.
The company says that Midnight Blizzard is also ramping up its password spray attacks against targeted systems, observing a 10-fold increase in February compared to the volume they saw in January 2024.
A password spray is a type of brute force attack where threat actors collect a list of potential login names and then attempt to log in to all of them using a long list of potential passwords. If one password fails, they repeat this process with other passwords until they run out or successfully breach the account.
For this reason, companies must configure MFA on all accounts to prevent access, even if credentials are correctly guessed.
In an amended Form 8-K filing with the SEC, Microsoft says they have increased security across their organization to harden it against advanced persistent threat actors.
“We have increased our security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat,” reads the 8-K filing.
“We continue to coordinate with federal law enforcement with respect to its ongoing investigation of the threat actor and the incident.”