Microsoft clarifies how its leaders became the targets of Russian hackers
Microsoft revealed a cyber-attack on its corporate systems orchestrated by Russian state-sponsored hackers, the very same group responsible for the SolarWinds incident. The breach allowed the hackers to infiltrate the email accounts of Microsoft's senior leadership, potentially conducting surveillance for an extended period.
Microsoft has now provided a more comprehensive analysis of the attack, shedding light on the methods employed by the hackers to bypass the company's security measures.
The initial point of entry for the hackers was a password spray attack, a brute-force method involving the use of a dictionary of potential passwords against accounts. Notably, the compromised non-production test tenant account lacked two-factor authentication.
Microsoft disclosed that Nobelium, or "Midnight Blizzard," customized their password spray attacks to a limited number of accounts, employing a low number of attempts to evade detection.
Once inside the system, the group capitalized on its initial access to identify and compromise a legacy test OAuth application with elevated access to Microsoft's corporate environment. OAuth, a widely utilized open standard for token-based authentication, became a pivotal component of the attackers' strategy. It is commonly employed on the web to facilitate sign-ins to applications and services without requiring users to provide passwords explicitly.
The access obtained by the hackers enabled them to create additional malicious OAuth applications and generate accounts, ultimately providing access to Microsoft's corporate environment and the Office 365 Exchange Online service. This service serves as the gateway to email inboxes within the Microsoft ecosystem.
While the company refrained from disclosing the exact number of targeted email accounts, it acknowledged that it constituted a very small percentage, including members of the senior leadership team and employees in cybersecurity, legal, and other functions.
Despite the detailed analysis, Microsoft has yet to provide a comprehensive timeline of the cyber-espionage campaign. The initial breach occurred in late November 2023, but Microsoft only became aware of it on January 12th, leaving room for speculation that the attackers potentially spied on Microsoft executives for nearly two months.
A point of scrutiny in the aftermath of this incident is Microsoft's admission of a lack of two-factor authentication on a critical test account. While not a software vulnerability, the poorly configured test environments allowed the hackers to traverse Microsoft's corporate network silently.
CrowdStrike CEO George Kurtz raised questions about how a non-production test environment could lead to the compromise of the most senior officials in Microsoft. Microsoft contends that if the same non-production test environment were deployed today, mandatory policies and workflows would ensure two-factor authentication and active protections to better guard against such attacks.
Transparency and a commitment to continuous improvement in the design, building, testing, and operation of its software and services are crucial elements in mitigating the impact of security threats and ensuring the security of its vast user base.