Russian hackers breached Microsoft corporate emails in a month-long operation

Microsoft has revealed that the Russian hacking group known as Midnight Blizzard/Nobelium successfully launched an attack targeting senior executives and individuals in the cybersecurity and legal departments.

The APT group gained initial access by leveraging a brute force attack to compromise a legacy non-production test tenant account. They then used the account to access the email content of selected individuals.

The attack was discovered on January 12, 2024, but Microsoft believes the operation started in November 2023. According to the tech giant, the hackers were trying to determine how much Microsoft knew about their operation.

“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required,” Microsoft said.

The company has already started mitigation and warns it might lead to disruption of business processes.

“We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might disrupt existing business processes,” The company said, adding that they will be cooperating with law enforcement and respective regulators to aid the process.

The fresh attack on Microsoft brings up bad memories of another attack less than 6 months ago in which Chinese cyber-spies exploited stolen Azure AD enterprise signing keys to infiltrate M365 email inboxes.

25 government organisations were compromised in the attack which is still being investigated by the Cyber Security Review Board (CSRB).

The hacking group which you might have also heard referred to as APT29 or Cozy Bear is believed to be under the Russian government and was linked to the unforgettable SolarWinds hack in 2020.