Microsoft says the Russian government-backed hacking team that broke into its corporate network and spied on senior executives also stole source code and may still be poking around its internal computer systems.
In what is being described as an “ongoing attack,” the world’s largest software maker says it has evidence the hacking group “is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access.”
“This has included access to some of the company’s source code repositories and internal systems,” Microsoft said in a brief statement. The company did not provide any additional details on the source code access or which internal systems had been breached.
“To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised,” Redmond said.
Microsoft said it is apparent that Midnight Blizzard is still attempting to use secrets of different types that were shared between customers and Microsoft in email in addtional attacks.
“[As] we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” the company said, warning that the hacking group has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.
“[The hackers] may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks,” the company said.
The latest twist comes less than a month after the Midnight Blizzard hackers were caught in Microsoft’s corporate network spying on emails and attachments from senior executives and targets in the cybersecurity and legal departments.
The APT, which has also been blamed for the SolarWinds supply chain hack, used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts.
“[They] exfiltrated some emails and attached documents,” Microsoft said in a filing with the Securities and Exchange Commission (SEC).
The company said its security team detected the nation-state attack on its corporate systems on January 12, 2024 and traced the infection back to November 2023.
The discovery of Russian hackers in Microsoft’s network comes less than six months after Chinese cyberspies were caught forging authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes.
That hack, which led to the theft of email data from approximately 25 government organizations in the United States, is currently being investigated by the CISA Cyber Security Review Board (CSRB).
Midnight Blizzard/Nobelium (AKA APT29 and Cozy Bear by others) is the same group that was attributed to hacking IT management solutions provider SolarWinds in a massive supply chain attack in 2020.
Related: Microsoft Says Russian Hackers Stole Emails From Senior Execs
Related: Microsoft Hires New CISO in Major Security Shakeup
Related: Chinese Cyperspies Use Stolen Microsoft Key to Hack Gov Emails
Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits
Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs
