4 min Security

Russia-backed hackers attack Microsoft: senior leadership hacked

Russia-backed hackers attack Microsoft: senior leadership hacked

Russian-backed hackers managed to gain access to the mail accounts of important people within Microsoft. Microsoft itself reported this in a blog post last night. Customers need not worry about this hack, the company indicated. However, internal procedures may be tightened a bit.

The group behind the attack, which took place in late November 2023, is Midnight Blizzard, a Russian-backed party also known as Nobelium. This group was also responsible for the supply-chain attack on SolarWinds several years ago. Microsoft discovered the attack on its own corporate environment on Jan. 12.

How did Midnight Blizzard/Nobelium get in?

At this point, not a huge amount is known about the scope of the attack. Microsoft does, however, reveal how the attackers got in. This took place by means of a so-called password spray attack. As the name suggests, this is a brute force attack in which a list of logins is fired at the systems targeted by the attackers. In the process, the attackers combine the login names with a single password. If that password doesn’t work, they try another one until they get in.

So that finally succeeded in this attack, after which a lateral move to “a small percentage” of the corporate account took place. So that included people from the senior leadership team, in addition to employees from cybersecurity, legal and other departments. The attackers managed to exfiltrate “some” emails and attachments, Microsoft indicates. According to the company, these were mostly accounts and information related to Midnight Blizzard itself. That would suggest that it was mainly a sort of reconnaissance mission by the attackers, to find out how much Microsoft knows about the group.

This hack targeted Microsoft’s internal, corporate systems. The vulnerability is not in Microsoft’s products and services. According to the company, so far no evidence has been found that the attackers had access to customer environments, production systems, source code or AI systems. Should this prove to be the case, Microsoft will notify affected customers.

Microsoft does not have complete overview and insight

In itself, the above method of attacking an environment is fairly common. However, with all the modern tooling available today, these types of attacks are usually also detectable relatively quickly. That this did not happen at Microsoft was partly due to the type of account that was accessed and used. In its own blog post, Microsoft talks about a “legacy non-production test tenant account”. From that, we infer that this was an account that had fallen off the radar. That is, an account over which Microsoft had no oversight and was not included in an inventory of potential entries for hackers. Had this been the case, it would not have taken several months for it to become clear that something was going on.

No 2FA/MFA?

Microsoft regularly gives users solicited and unsolicited advice around how to better protect accounts. Two-factor authentication (2FA) and multi-factor authentication (MFA) are then two terms that often come up. Among other things, it has developed its own Authenticator app for this, but it can also be done in many other ways.

However, Microsoft does not seem to be doing everything it advises users to do. After all, a brute force attack is basically impossible if you use 2FA or MFA. Or someone must have willfully given access via a second authentication method. But that’s not very realistic, because then you generally don’t need a brute force attack. So it really does seem that Microsoft has not been careful enough here.

Ultimately, not setting up 2FA/MFA will not have been done on purpose by Microsoft. There is no reason to assume that. More likely, the lack of 2FA/MFA is simply due to the lack of visibility over all assets within Microsoft. If you don’t know what you have, you can’t protect and secure it.

The attack in late November was one on a legacy tenant that was no longer used in a production environment. Those are typically the targets you can lose sight of as a company. However, attackers do not lose sight of these types of targets, because they are often a relatively easy way to get in. This hack proves that once again.