Connect with us

Hi, what are you looking for?


Incident Response

Microsoft Says Russian Gov Hackers Stole Source Code After Spying on Executive Emails

Microsoft says the Midnight Blizzard APT group may still be poking around its internal network after stealing source code, spying on emails.


Microsoft says the Russian government-backed hacking team that broke into its corporate network and spied on senior executives also stole source code and may still be poking around its internal computer systems.

In what is being described as an “ongoing attack,” the world’s largest software maker says it has evidence the hacking group “is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access.”

“This has included access to some of the company’s source code repositories and internal systems,” Microsoft said in a brief statement.  The company did not provide any additional details on the source code access or which internal systems had been breached.

“To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised,” Redmond said.

Microsoft said it is apparent that Midnight Blizzard is still attempting to use secrets of different types that were shared between customers and Microsoft in email in addtional attacks.

“[As] we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” the company said, warning that the hacking group has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024. 

“[The hackers] may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks,” the company said.

The latest twist comes less than a month after the Midnight Blizzard hackers were caught in Microsoft’s corporate network spying on emails and attachments from senior executives and targets in the cybersecurity and legal departments.  

Advertisement. Scroll to continue reading.

The APT, which has also been blamed for the SolarWinds supply chain hack, used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts.

“[They] exfiltrated some emails and attached documents,” Microsoft said in a filing with the Securities and Exchange Commission (SEC).

The company said its security team detected the nation-state attack on its corporate systems on January 12, 2024 and traced the infection back to November 2023.

The discovery of Russian hackers in Microsoft’s network comes less than six months after Chinese cyberspies were caught forging authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes. 

That hack, which led to the theft of email data from approximately 25 government organizations in the United States, is currently being investigated by the CISA Cyber Security Review Board (CSRB).  

Midnight Blizzard/Nobelium (AKA APT29 and Cozy Bear by others) is the same group that was attributed to hacking IT management solutions provider SolarWinds in a massive supply chain attack in 2020.

Related: Microsoft Says Russian Hackers Stole Emails From Senior Execs

Related: Microsoft Hires New CISO in Major Security Shakeup

Related: Chinese Cyperspies Use Stolen Microsoft Key to Hack Gov Emails

Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits

Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.