State-sponsored hacking group launches attacks on additional Microsoft customers notified
Microsoft has been making a series of disclosures regarding cyber attacks by the Russian state-sponsored hacking group known as Midnight Blizzard (also known as Nobelium). The latest notifications mark the latest in this series, which began in January.
The hackers gained access to some source code repositories and internal systems through continued, ramped up password-spray attacks. This week's disclosures include increased detail for customers who have already been notified and also include new notifications for additional enterprise customers.
Midnight Blizzard used a series of password-spray attacks to compromise a legacy, non-production test tenant account. They then used this information to hack into customer accounts, potentially compromising internal corporate communications and sensitive information.
Microsoft President Brad Smith took ownership for the compromises and promised the company would make wholesale changes under the program called the Secure Future Initiative.
Customers who received the notifications expressed concerns on social media, fearing potential phishing attempts. Microsoft is continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor.
The company is providing the customers the email correspondence that was accessed by this actor.
Midnight Blizzard, a group linked to the 2020 Sunburst attacks, has a documented history dating back to at least January 2024. They have been targeting high-level corporate users, particularly within Microsoft, focusing on senior executives and critical internal teams.
The scope of these campaigns includes compromising internal corporate communications, potentially impacting sensitive legal and security information. There are indications of ongoing evolution and adaptation of their tactics, DNS infrastructure, and spear-phishing campaigns contributing to sustained espionage efforts against Microsoft and presumably other enterprise targets.
The new disclosures were first reported by Bloomberg. At the time, HPE disclosed Midnight Blizzard attacks against its Microsoft environment.
Katell Thielemann, a distinguished VP analyst at Gartner, stated that "a cyber event is not a 'just in time' event," suggesting that much is often learned later in the forensics process.
Microsoft was lambasted in an April report by the Cyber Safety Review Board for a compromise last summer by China-linked threat actors that stole tens of thousands of State Department emails. The hackers intercepted data shared between Microsoft and the Cybersecurity and Infrastructure Security Agency, leading to the theft of some federal agency credentials.
In broader terms, Midnight Blizzard's attacks reflect a strategic focus on identity-related attacks to exploit weaknesses in enterprise access controls rather than relying solely on traditional software vulnerabilities. This aligns with a global trend towards targeting digital identities and privileged credentials as gateways for state-sponsored cyber intrusion.
| Aspect | Details | |--------------------|-------------------------------------------------------------| | Group Name | Midnight Blizzard (aka Nobeliumm) | | Origin | Russian state-sponsored group, active since ~2008 | | Key Attack Method | Password spraying on legacy/non-production Microsoft accounts | | Known Incidents | January 2024 breach at Microsoft exposing senior teams' emails/documents | | Targets | Microsoft senior leadership, security, legal teams | | Impact Duration | Up to 2 months undetected access | | Tactics Evolution | Continuing evolution in phishing, DNS footprint, access exploitation | | Broad Strategy | Identity attacks focusing on privileged access and credentials |
No detailed public records indicate the exact number of Microsoft enterprise customers affected beyond Microsoft's corporate network breach, but the group's actions indicate significant espionage targeting high-value enterprise accounts.
As of Friday, an HPE spokesperson said the company has not heard from Microsoft with any new detail.
- The ongoing cybersecurity concerns have extended beyond Microsoft's corporate network, as Midnight Blizzard's cyberattacks on legacy Microsoft accounts indicate significant espionage targeting high-value enterprise accounts.
- The strategic focus of Midnight Blizzard, a Russian state-sponsored hacking group, has shifted from traditional software vulnerabilities to identity-related attacks, exploiting weaknesses in enterprise access controls, aligning with a global trend towards targeting digital identities and privileged credentials.
