Microsoft disclosed Friday night that some of its corporate email accounts were breached and data stolen by the Russian state-sponsored hacking group Midnight Blizzard.
The company detected the attack on January 12th, with Microsoft initiating its response to investigate, disrupt, and mitigate the breach.
Their investigation has determined that they were breached by the threat actor known as Midnight Blizzard, aka Nobelium or APT29.
Microsoft says that the threat actors breached their systems in November 2023 when they conducted a password spray attack to gain access to a legacy non-production test tenant account.
Using this account’s permissions, Nobelium was able to access a small percentage of Microsoft’s corporate email accounts for over a month, including members of the leadership team and those in the cybersecurity and legal departments.
This access allowed the attackers to steal emails and attachments from the corporate accounts.
“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” the Microsoft Security Response Center shared in a report on the incident.
“We are in the process of notifying employees whose email was accessed.”
Microsoft reiterates that this breach was not caused by a vulnerability in their products and services but rather by a brute force password attack on their accounts.
While Microsoft is still investigating the breach, they said they will share additional details as appropriate.
In a Form 8-K filing with the SEC, Microsoft says that the breach has not had a material impact on the company’s operations.
Who is Nobelium
Nobelium is a Russian state-sponsored actor believed to be behind the 2020 SolarWinds supply chain attack, which also impacted Microsoft.
Microsoft later confirmed that the SolarWinds attack allowed the hackers to steal source code for a limited number of Azure, Intune, and Exchange components.
In June 2021, the hacking group breached a Microsoft corporate account again, allowing them to access customer support tools.
The hacking group is believed to be part of Russia’s Foreign Intelligence Service (SVR) and has been linked to numerous attacks worldwide, including attacks on diplomats and government agencies.