Microsoft reported on Friday that a Russian state-sponsored hacking group known as Midnight Blizzard breached some of its corporate email accounts and stole data. The attack was detected on January 12th and ultimately determined to be the work of Russian threat actors known as Nobelium or APT29.
The hackers gained access to Microsoft’s systems in November 2023 through a password spray attack on a legacy non-production test tenant account, indicating a lack of two-factor authentication security. They then used this account to access a small percentage of Microsoft’s corporate email accounts for over a month, stealing emails and attachments, primarily targeting information related to Midnight Blizzard.
Microsoft is currently investigating the breach and will share additional details as appropriate. While the company claims the breach was not caused by a vulnerability in their products and services, it is clear that the poorly secured configuration of the breached account played a significant role.
Despite the breach, Microsoft states that it has not had a material impact on its operations. Nobelium, also known as Midnight Blizzard, APT29, and Cozy Bear, is a Russian state-sponsored hacking group believed to be part of Russia’s Foreign Intelligence Service (SVR) and has been linked to numerous attacks over the years, including the 2020 SolarWinds supply chain attack and previous breaches of Microsoft accounts. In addition to cyberespionage and data theft attacks, Nobelium is known for developing custom malware for their attacks.
Microsoft, as a company controlling a significant amount of global data and services, has been a highly prized target for hackers from various countries. This includes a recent incident where Chinese hackers stole a Microsoft signing key, allowing access to the email accounts of multiple organizations, including government agencies in the US and Western Europe.