Mar 11, 2024 11:00:00

It turns out that Russian government hacker ``Midnight Blizzard'' had access to Microsoft's source code and internal systems

Microsoft

announced in January 2024 that it had been hacked by the Russian state-backed hacker group ``Midnight Blizzard,'' also known as NOBELIUM, Cozy Bear, and APT29. Furthermore, in a follow-up report on March 8, Microsoft reported that Midnight Blizzard used information obtained through hacking to infiltrate its network and compromise its source code and internal systems.

Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center
https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

Microsoft says Kremlin-backed hackers accessed its source and internal systems | Ars Technica
https://arstechnica.com/security/2024/03/microsoft-says-kremlin-backed-hackers-accessed-its-source-and-internal-systems/

Microsoft says Russian hackers breached its systems, accessed source code
https://www.bleepingcomputer.com/news/microsoft/microsoft-says-russian-hackers-breached-its-systems-accessed-source-code/

In the Midnight Blizzard hack announced by Microsoft in January, employee email accounts were compromised through a password spray attack , and email texts and attachments were leaked.

A password spray attack is an attempt to log in to multiple accounts using commonly used passwords. Two-factor authentication can reduce risk, but two-factor authentication was enabled for the 'existing non-production test tenant account' that was the target of the attack, that is, the account that was left undeleted after being decommissioned. It was not done.

Additionally, Microsoft said in its announcement that, 'In recent weeks, we have seen evidence that Midnight Blizzard has been using information originally leaked from corporate email systems to gain or attempt to gain unauthorized access. 'This includes access to the source code repository and some internal systems,' he said, revealing that the source code was stolen as a result of the information leaked in the January hack.

So far, Midnight Blizzard has found no evidence that customer-facing systems hosted by Microsoft have been compromised, but Midnight Blizzard continues to use previously obtained information in subsequent attacks and Microsoft reports that password spray attacks are becoming more frequent than before.

'This means that the passwords used to log into accounts are weak enough to be guessed with credentials collected from previous breaches,' tech news site Ars Technica said. pointed out.

Microsoft said it was clear that Midnight Blizzard was attempting to use confidential information, some of which was shared in leaked emails between Microsoft and its customers. Therefore, we are contacting customers and supporting them to take countermeasures.

It is not clear what 'confidential' refers to, but according to IT news site Bleeping Computer, it could be an authentication token, API key, or credentials.

Microsoft said, ``Midnight Blizzard's ongoing attacks are characterized by a focus on this threat actor's extensive resources and coordination capabilities. 'This reflects an unprecedented and escalating global threat, particularly in terms of sophisticated nation-state attacks.' , reiterated the dangers of international cyber threats backed by the Russian government.