Russia-Sponsored Cyberattackers Infiltrate Microsoft's Code Base

The Midnight Blizzard APT is mounting a sustained, focused cyber campaign against the computing kahuna, using secrets it stole from emails back in January.

Snowstorm at night
Source: ArtesiaWells via Alamy Stock Photo

The Russian state-sponsored advanced persistent threat (APT) group known as Midnight Blizzard has nabbed Microsoft source code after accessing internal repositories and systems, as part of an ongoing series of attacks by a very sophisticated adversary.

The Redmond giant noted today that the previously announced cyber campaign by Midnight Blizzard, which commenced in January, has evolved. Assailants are continually probing its environment in an attempt to use secrets of different types that it originally exfiltrated from internal emails. It's a "sustained, significant commitment" on the part of the group, according to Microsoft.

"Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access [deeper into our environment]," according to Microsoft's blog post on the attack. "This has included access to some of the company’s source code repositories and internal systems."

The group (aka APT29, Cozy Bear, Nobelium, and UNC2452) may also be laying the groundwork for future efforts, according to the post, "using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so."

Further, Microsoft said that the attackers are turning up the volume on password-spraying attempts, observing a tenfold increase in February against its accounts.

Ariel Parnes, chief operating officer and co-founder at Mitiga, noted in an emailed statement that the source-code heist could lead to a flurry of zero-day vulnerability exploitation.

"For advanced nation-state cyber groups, access to a company's source code is akin to finding the master key to its digital kingdom, opening up avenues for finding new zero-day vulnerabilities: undiscovered security flaws that can be exploited before they're known to the software creators or the public," he warned, adding that the Microsoft breach is clearly much "more severe than initially understood, underscoring the critical nature of source code security in the digital age."

The good news is that there's so far no evidence that Midnight Blizzard has compromised Microsoft-hosted customer-facing systems; however, in some instances, secrets were shared between customers and Microsoft in email.

"As we discover them in our exfiltrated email," according to the post, "we have been and are reaching out to these customers to assist them in taking mitigating measures."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights