Microsoft ID’s Russia-Backed Actor Behind Leadership Email Hacks

Beginning in November 2023, a nation state threat actor gained access to and exfiltrated information from a small number of Microsoft employee email accounts. The technology corporation detected the threat actor on Jan. 12, according to its 8-K filed with the US Securities and Exchange Commission. In a blog post published on Jan. 19, Microsoft identified the threat actor as Midnight Blizzard, a Russian state-sponsored actor responsible for several other high-profile cyberattacks.

Nation state threat actors continue to ramp up their activity. How did Midnight Blizzard execute this attack against Microsoft? What can security leaders to do reduce the risk their enterprises face?

The Hack

“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” Microsoft shared in an emailed statement. The company notes in its 8-K and blog that it will notify its customers if any action is required.

The threat actor was able to gain a foothold in Microsoft’s systems not by exploiting a vulnerability but by executing a password spray attack. This attack compromised a “legacy non-production test tenant account,” according to the company’s blog. From there, the threat actor used the compromised account’s permissions to gain access to a number of employee email accounts belonging to members of the company’s senior leadership and employees in its cybersecurity and legal functions. The threat actor leveraged its access to search for information about itself.

Related:Merck's Cyberattack Settlement: What Does it Mean for Cyber Insurance Coverage?

Password spray attacks take advantage of human error: the tendency to select weak passwords. The technique involves attempting to log-in to a target group of accounts with a commonly used password, like “12345.” “By attempting to log in to a list of accounts with one common password, before moving on to another, the method avoids triggering account lockouts that may occur after multiple consecutive failed login attempts,” Karan Sondhi, chief technology officer for public sector at cybersecurity company Trellix, explains via email.

“It seems like the most likely issue … is that there was a legacy system that did do not have MFA [multifactor authentication],” says Oleg Kolesnikov, vice president of threat research at Securonix, a security analytics and operations management company.

MFA and stronger password hygiene can mitigate the risk of password spray attacks. “Although it is somewhat unclear how long the attackers were able to elude detection, there might have been an opportunity via log monitoring to discover their presence and kick them out faster,” Padraic O'Reilly, chief innovation officer at CyberSaint, a cyber risk management software company, tells InformationWeek in an email interview.

Related:What CISOs Need to Know About Nation-State Actors

The Threat Actor

Midnight Blizzard is “…a Russia-based group of actors made up of some of the most sophisticated cyber reconnaissance and operational threats to the US, NATO, the EU, and their international partners,” Andrew Borene, executive director of global security at global threat intelligence firm Flashpoint, tells InformationWeek via email. The Russian state-sponsored group, also known as NOBELIUM, APT 29, the Dukes and CozyBear, is affiliated with the Russian Foreign Intelligence Service (SVR).

The group is responsible for several high-profile cyberattacks, including those against SolarWinds in 2020 and the Democratic National Committee in 2015.

Just days after Microsoft disclosed the threat actor’s hack of employee email accounts, Hewlett Packard Enterprise (HPE) filed an 8-K revealing that Midnight Blizzard had gained access to its cloud-based email environment. The threat actors gained access to HPE’s Microsoft Office 365 email environment, according to Bleeping Computer.

Related:Another Cyberattack on Critical Infrastructure and the Outlook on Cyberwarfare

HPE reports that it was notified of the threat actor’s access on Dec. 12, 2023. In its investigation, HPE determined that Midnight Blizzard gained access to and exfiltrated data beginning in May 2023, according to the 8-K.

The group uses a variety of techniques, often leveraging social engineering to gain access to victims’ systems. Microsoft has been closely tracking Midnight Blizzard’s activity and publishing insight into its tactics and attacks. “They don't like when their methods are exposed, obviously. So, they are going after researchers, and researchers have to be aware of that,” says Kolesnikov

The threat actor searched for information about itself once it gained access to employee email accounts, suggesting an interest in how much Microsoft has learned about it.

The attack on Microsoft is part of the larger trend of continued nation-state threat actor activity. “It is in line with the kind of gamesmanship that state-sponsored actors engage in. There seem to be many motives in play: extortion, embarrassment, and espionage loom large,” says O’Reilly.

It is likely that Midnight Blizzard and other nation state-sponsored groups will continue to target private sector companies, such as Microsoft.

“I personally think this is just one event in an observable pattern of Russian aggression,” says Borene. “We will see increasing interest in private sector cybersecurity proficiency beyond CISOs and measuring holistic security at an enterprise level, to include non-executive board directors, investors, and other C-suite members.”

Ongoing Nation State Threat Actor Activity

Geopolitical tension is increasing around the world and nation state threat actor activity with it. “Our Advanced Research Center has seen a 50% spike in the last six months of nation state activity stemming from Russia and Ukraine, Israel and Hamas, and Taiwan and China," says Sondhi.

As private sector companies continue to be targeted by nation state threat actors, leadership teams need to consider how their enterprises can continue to do business while managing this risk.

“How do you let the normal business processes run while maintaining security? And, at times, these are the two conflicting goals,” says Kolesnikov. “One of the key takeaways for CISOs here is that maybe sometimes you need to push a little harder.”

With many nation state-sponsored attacks taking advantage of human error, CISOs can highlight the importance of training and password management. “Better training around phishing and better password management -- these are not expensive fixes for the modern enterprise, and improving these can significantly reduce loss exposures,” says O’Reilly.

Borene emphasizes the importance of “…taking proactive defensive measures like keeping systems patched and updated, and working with best-in-class providers of cyber threat intelligence and a trusted ecosystem of cybersecurity providers.”

Each new nation state-sponsored attack that comes to light serves as a reminder. “For enterprise-level businesses, I hope this is a wake-up call that no one is immune to these attacks, or any cyberattack, for that matter,” says Sondhi.