Microsoft: Russian hackers are targeting other companies
Nobelium group is linked to Russian intelligence
Microsoft has warned that it is not the only victim of an attack by Russian hackers, a week after the initial reporting of the operation.
The tech giant said, "The same actor has been targeting other organisations and, as part of our usual notification processes, we have begun notifying these targeted organisations."
The number of organisations targeted is not yet known, but Microsoft is confident that the same invaders were behind the SolarWinds attack in 2020.
Microsoft has identified the hackers as the Midnight Blizzard group (aka Nobelium), believed to be working with, or actually be part of, Russia's Foreign Intelligence Service (SVR). Other security companies have named the group APT29 and Cozy Bear.
The intrusion, first discovered on 12th January, allowed the hackers to use a password spraying attack on a legacy system without multi-factor authentication, raising concerns over sensitive information.
Password spraying is when hackers try to brute-force access to accounts using commonly used passwords or a list of passwords from past data breaches - one of the reasons why last week's Mother of All Breaches could prove so damaging.
Microsoft added, "The actor tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures.
"The threat actor further reduced the likelihood of discovery by launching these attacks from a distributed residential proxy infrastructure. These evasion techniques helped ensure the actor obfuscated their activity and could persist the attack over time until successful."
After the hackers gained access to an account, they "used the account's permissions to access a very small percentage of Microsoft corporate email accounts." The number of emails compromised are not specified.
The tech giant said the hackers were more interested in seeing the information the company had about them.
Hewlett Packard Enterprise (HPE) said Midnight Blizzard breached its Microsoft-hosted email system on 12th December. According to the company's own investigation, the hackers "accessed and exfiltrated data" from a small percentage of HPE mailboxes beginning from May 2023.
Although nobody has directly confirmed the attacks on Microsoft and HPE are linked, the similarities in terms of attackers and dates are striking.
HPE spokesperson Adam R. Bauer told TechCrunch, "We don't have the details of the incident that Microsoft experienced and disclosed last week, so we're unable to link the two at this time."
HPE said the incident was linked to an earlier intrusion, where the same hackers exfiltrated "a limited number of SharePoint files" from its network.