A Russia-based group, Midnight Blizzard, also known as Nobelium, hacked the emails of Microsoft employees, including those of senior executives, Microsoft revealed in a recent blog post.
“Starting in late November 2023, the threat actor used a password spray attack to compromise and gain a foothold on an old, non-production test tenant account, then leveraged the account's permissions to access a very small percentage of Microsoft enterprise email. “Members of our senior leadership team and our cybersecurity, legal and other employees were hacked and some emails and attached documents were filtered,” the blog post said.
This is not the first time that Midnight Blizzard or Nobelium have targeted the company. Last year, Microsoft accused the company of using social engineering to carry out a cyberattack on Microsoft Teams.
Although the attack began in late November 2023, it was not discovered until January 12, 2024. “The frequency shows, as in previous cases of this type, that even the most sophisticated cybersecurity systems are far from sufficient.” The fact that the breach began in late November 2023 and was only discovered around mid-January 2024, according to Microsoft's blog post, makes such incidents even more alarming said Deepak Kumar, Founding Analyst and Chief Research Officer at BMNxt Business and Market Advisory.
A weak link in security?
Microsoft emphasized that the attack was not due to a vulnerability in its products or services. “To date, there is no evidence that the threat actor had access to customer environments, production systems, source code or AI systems. We will notify customers if action is required,” the company’s blog post said.
But analysts believe not enough may have been done to secure senior management's email accounts. “The breach also raises the possibility that best practices such as zero trust security are not necessarily applied to executive email accounts, which were the primary targets in this case,” Kumar said. He added that a “weak link in the security chain” may have led to the compromise of employees' emails.
There is a significant increase in cyberattacks led by Russia-based groups. Nobelium is believed to be part of the Russian foreign intelligence agency SVR and is known to target government organizations and NGOs in the US and Europe. Nobelium is also credited with carrying out the attack on SolarWinds customers in 2020, considered one of the largest cyberattacks.
Last month, the US CISA issued a warning that SVR was exploiting the vulnerability in JetBrains' TeamCity software to attack organizations. Given the increasing intensity of cyberattacks, Microsoft announced the Secure Future Initiative (SFI) last year to better protect its customers. Now the company says it will “act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even if these changes could disrupt existing business processes.”