Microsoft Falls Victim to Russia-Backed 'Midnight Blizzard' Cyberattack

Russian state-sponsored threat actor Nobelium used a basic password-spray attack to breach Microsoft corporate email accounts, including for execs.

Microsoft logo on storefront
Source: Robert K. Chin - Storefronts via Alamy Stock Photo

Microsoft's corporate systems were compromised back in late November by the same Russian nation-state actor behind the 2020 SolarWinds Orion software supply chain cyberattack, known to Microsoft threat researchers as Midnight Blizzard (aka APT29, Cozy Bear, or Nobelium).

The breach wasn't detected until Jan. 12, the company said.

A preliminary analysis by the Microsoft Security Research Center (MSRC) showed the nation-state advanced persistent threat (APT) actor used a simple password-spray attack to access a test account, leading to the compromise of "a very small percentage of Microsoft corporate email accounts," according to a company blog post from Jan. 19. Breached email accounts included those belonging senior leadership, as well as members of the cybersecurity and legal teams, among others, Microsoft said. Apparently, the Nobelium attacker was poking around for information Microsoft had on their operation.

In its statement, Microsoft vowed a cybersecurity overhaul of its legacy systems, regardless of the impact to operations.

"We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes," Microsoft announced. "This will likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy."

Microsoft Nation-State Cyberattack Lessons

The successful cyberattack against Microsoft should remind cybersecurity teams not to overlook sensitive information contained less critical systems like email and file sharing, according to a statement from Omri Weinberg, co-founder of DoControl.

"Many of these kinds of services are consumed via a software as a service (SaaS) model, which can make security and monitoring more challenging for organizations," Weinberg said.

The fact that the Russian nation-state actor was able to maintain persistence in Microsoft's systems for so long also shows a lack of attention to cloud logging, according to Arie Zilberstein, co-founder and CEO of Gem Security.

"Surprisingly, the adversary managed to stay persistent in the cloud infrastructure for more than two months before being discovered," Zilberstein said in a statement. "We recommend that organizations implement continuous monitoring of their cloud logs so they can spot anomalous activities before attackers can access and exfiltrate sensitive data."

The Nobelium APT has harried Microsoft and its services before. Last summer, the group launched Teams phishing attacks against government and industrial organizations using compromised Microsoft 365 tenants.

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights