4 min Security

Microsoft repeats lessons it hadn’t learned itself before Russian hack

Microsoft repeats lessons it hadn’t learned itself before Russian hack

After being attacked itself, Microsoft has warned about the threat from Midnight Blizzard. This Russian-backed hacker group showed major security flaws at Microsoft, but the company now wants to say it has learned its lesson.

The Midnight Blizzard (aka Nobelium) group managed to obtain the e-mail information of high-ranking Microsoft executives through a legacy tenant. Through this tenant, which was apparently no longer known to Microsoft’s security teams, the group was able to move laterally to access the emails. We wrote a post about it shortly after the incident last week.

In an extensive blog, Microsoft explains how the company found out about Midnight Blizzard’s exact dealings. It also tries to emphasize that the infiltration couldn’t happen to customers today. Had the affected legacy tenant been deployed currently, current practices would have thwarted an attack, Microsoft said. However, that explanation will not quell expert criticism of the incident.

Old story

It is to be appreciated that Microsoft is being forthright about the practices of an attacker who penetrated the company itself. Such initiatives help other organizations be prepared for similar incidents. However, it is notable that the new blog repeats much information from previous coverage. Indeed, back in June 2023, Microsoft sounded the alarm about Midnight Blizzard’s tactics. Stolen credentials, vulnerabilities in webmail software and the deployment of JavaScript malware were mentioned as the attack vectors. Also, two months later, the tech giant published a blog showing that Midnight Blizzard used social engineering tactics on Teams to bypass MFA. The attack on Microsoft did not require the circumvention of MFA, by the way, as it was turned off for access to the corporate environment.

Now, Microsoft is highlighting the actual steps the group took to get into the Redmond-based company and remain unseen. Initial access had been gained via password spraying, while OAuth applications were deployed for malicious purposes. These tools made it possible to receive authentication for Microsoft Exchange Online, where the corporate emails could be found. Then, the hackers avoided detection by operating through perfectly unsuspicious residential IP addresses.

To Politico, CTO at nbhd.ai Marc Rogers suggests that Microsoft’s rhetoric is misleading. “I love how they wordsmithed it into a warning about how sophisticated these attackers are and the dangerous new world we find ourselves in. When in reality it appears to have been a massive failure of security best practice,” he says. SVP Counter Adversary Operations at CrowdStrike Adam Meyers added, “I can tell you as someone who works at a security company, our executives are not residing on legacy tenants without an MFA.”

“You would think that the executive leadership of Microsoft and their cybersecurity team would be running in a more secure environment. So seemingly the largest enterprise in the world doesn’t know how to implement multi-factor authentication.”

Other organizations warned

Microsoft let it be known in the blog that it’s aware of other organizations that have also been affected by Midnight Blizzard. HPE is one of them, although that company could not immediately confirm a link between the Microsoft incident and its infiltration. Either way, Midnight Blizzard is primarily targeting government agencies, NGOs and larger IT service providers in Europe and the United States. The infamous 2020 SolarWinds hack was also carried out by this group.

It’s not clear if we will get to hear from all affected parties. Either way, it is said to be a major cyber-espionage campaign. Microsoft itself suggests that the attackers were only after the company’s knowledge of the hacking group’s activities. Given that Microsoft is the world’s largest endpoint security player, that objective and the specific target is not entirely surprising.

However, we do have to wonder why exactly corporate accounts would have been targeted in that case. After all, the mailboxes of senior Microsoft (and HPE) employees contain much more information than just knowledge about the hacker group. From this stolen information, which will still be in the hands of Midnight Blizzard, much of Microsoft’s future plans can be gleaned. However, very little is known about the exact information that was stolen. We know from both Microsoft and HPE that only a “small portion” of the company’s e-mail inboxes were involved. Therefore, the impact of this hack has yet to surface, as well as who else was in Midnight Blizzard’s crosshairs.

Also read: Thirty percent more cyber attacks in 2023