State-sponsored hacker group targets further Microsoft users with cyberattacks
In a series of password-spray attacks, the state-backed Russian group Midnight Blizzard has successfully compromised Microsoft's corporate network, gaining access to senior leadership accounts. This ongoing campaign, first disclosed in April, has led to the theft of tens of thousands of State Department emails and the exfiltration of some federal agency credentials.
The password-spray campaign, a method that systematically attempts commonly used passwords across many accounts, allows hackers to evade detection and lockouts. Midnight Blizzard exploited vulnerabilities in Microsoft’s Azure cloud platform and Active Directory, creating access tokens for targeted applications once inside.
Microsoft has responded to these breaches by disclosing the incidents, improving cloud platform security, and collaborating with security researchers and partners to mitigate ongoing threats. The company has also emphasized the importance of patching misconfigurations and hardening identity and access management systems to resist credential-based attacks like password spraying.
In a recent development, Microsoft has notified additional enterprise customers that their emails were compromised by the Midnight Blizzard threat group. These notifications mark the latest in a series of rolling disclosures by Microsoft since the hacks were originally discovered in January. The company has also provided customers with email correspondence that was accessed by the Midnight Blizzard threat actor.
However, some customers who received the notifications have expressed concerns on social media, fearing potential phishing attempts. An HPE spokesperson stated that the company has not heard from Microsoft with any new details about the Midnight Blizzard attacks.
This campaign serves as an example of the sophisticated credential-based intrusions that state-sponsored groups continue to use against major tech firms and their customers. Katell Thielemann, a distinguished VP analyst at Gartner, emphasised the importance of forensics in cybersecurity, stating that "a cyber event is not a 'just in time' event."
Microsoft President Brad Smith took ownership for the compromises and promised the company would make wholesale changes. In response, Microsoft accelerated plans to reform its security practices under a program called the Secure Future Initiative. The company also announced that hackers gained access to some source code repositories and internal systems in March.
Midnight Blizzard, a group linked to the 2020 Sunburst attacks and known as Nobelium, had been stealing information from numerous senior executives at Microsoft starting in November 2023.
[1] https://www.cybersafetyreview.gov/reports/microsoft-compromise-report/ [2] https://www.bleepingcomputer.com/news/security/microsoft-admits-china-linked-hackers-stole-tens-of-thousands-of-state-department-emails/ [3] https://www.washingtonpost.com/technology/2023/04/14/microsoft-hack-china-linked-threat-actors/ [4] https://www.bleepingcomputer.com/news/microsoft/microsoft-provides-more-details-on-midnight-blizzard-attacks-against-its-customers/
- The ongoing Midnight Blizzard campaign, a series of password-spray attacks, highlights the importance of robust cybersecurity measures in the face of state-sponsored groups targeting major tech firms and their clients.
- Microsoft's response to the Midnight Blizzard attacks has included disclosing breaches, improving cybersecurity practices, and collaborating with security researchers to enhance technology and identity management systems, emphasizing the need for forensic investigation in cybersecurity.
