Microsoft notifies more customers their emails were accessed by Russian hackers

More bad news on Microsoft security

Microsoft notifies more customers their emails were accessed by Russian hackers

Image:
Microsoft notifies more customers their emails were accessed by Russian hackers

Microsoft has told more customers that their emails were compromised during a late 2023 cyberattack carried out by the Russian hacking group Midnight Blizzard.

"This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor," a Microsoft spokesperson told Bloomberg.

According to Bloomberg, Microsoft is providing clients with a secure link to designate someone within their organisation to review the compromised messages through a custom-built system.

"You are receiving this notification because emails were exchanged between Microsoft and accounts in your organization, and those emails were accessed by the threat actor Midnight Blizzard as part of their cyberattack on Microsoft," the notice states.

Microsoft initially disclosed the breach in January, stating that hackers had infiltrated senior leaders' emails and attempted to leverage them to access customer communications, including those of government bodies.

The attack began in late November 2023. Despite the lengthy period the attackers were present in the system, Microsoft initially insisted that that only a "very small percentage" of corporate accounts were compromised. However, the attackers managed to steal emails and attached documents during the incident.

The breach was facilitated through a password spraying technique, which the hackers used to access a "legacy non-production test tenant account" with outdated code. The attackers used that account's permissions to infiltrate accounts belonging to senior Microsoft leaders and other targeted employees.

In March, Microsoft said that the attackers used the stolen information to attempt further unauthorised access within its systems.

Midnight Blizzard

The Russian hacking group Midnight Blizzard, also known by aliases Nobelium, APT29 and Cozy Bear, is infamous for its sophisticated attacks. Microsoft, along with the US government, classifies the group as part of the Russian Foreign Intelligence Service, SVR.

It is the same group US and UK authorities hold responsible for the 2020 supply chain attack on SolarWinds.

In that attack, malicious code was embedded within a software update, granting the attackers further access to customer systems. The SolarWinds attack ultimately targeted nearly 100 companies and nine federal agencies for further intrusions.

Midnight Blizzard/Nobelium has also breached cybersecurity firm FireEye, government agencies and IT service providers, as well as launching several attacks on the Ukrainian government during the ongoing war.

The latest disclosure adds to the pressure Microsoft faces regarding its cybersecurity practices.

In April, a highly critical report [pdf] by the US Cyber Safety Review Board slammed the company's response to a separate 2023 incident where Chinese hackers accessed emails of high-profile US government officials.

The report criticised Microsoft's "cascade of security failures" and a culture that downplayed security investments in favour of new products.

"Microsoft had not sufficiently prioritised rearchitecting its legacy infrastructure to address the current threat landscape," the report said.

The urgency of the situation prompted US federal agencies to take action in April.

An emergency directive was issued by the US Cybersecurity and Infrastructure Security Agency (CISA), mandating government agencies to analyse emails, reset compromised credentials, and tighten security measures for Microsoft cloud accounts, fearing potential access to sensitive communications by Midnight Blizzard hackers.

CISA even said the Microsoft hack posed a "grave and unacceptable risk" to government agencies.