Russian threat group APT29 has struck another blow to Microsoft, breaching corporate email accounts including some belonging to senior executives and members of the software giant’s cybersecurity and legal teams.
APT29, also known as Cozy Bear and tracked by Microsoft as Midnight Blizzard (previously Nobelium), is believed to be responsible for the 2020 SolarWinds supply chain attack which impacted multiple organizations, including Microsoft.
In 2021, the nation-state advanced persistent threat (APT) gang, part of the Russia's Foreign Intelligence Service (SVR), targeted Microsoft customers in 36 countries after it infiltrated an employee’s computer and stole account information.
APT29’s latest attack on the company began in late November last year, and was revealed in an 8-K filing to the U.S. Security and Exchange Commission (SEC) on Jan 19.
Microsoft said it discovered on Jan. 12 that the group accessed and exfiltrated information from “a very small percentage” of staff email accounts, including some belonging to members of its senior leadership team, along with employees with roles in cybersecurity, legal, and other parts of the organization.
“We were able to remove the threat actor’s access to the email accounts on or about January 13,” the company said.
In a post by its Security Response Center (SRC) published on the same day as the 8-K notification, Microsoft said APT29 “used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold.” The gang then used the account’s permissions to access the compromised email accounts.
Password spraying involves attempting to log into multiple accounts from one organization by trying a limited number of commonly used passwords. (As opposed to brute force attacks that bombard a single account with numerous login attempts).
The threat group’s success accessing the compromised account using a password spray attack suggests two-factor authentication was not in use, despite Microsoft recommending it as a security measure.
The company said it did not have any evidence that APT29 had accessed any customer environments, production systems, source code, or AI systems.
“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed,” the SRC post said.
In its SEC filing, Microsoft said it was examining the information accessed by the threat group to determine the impact of the hack.
“We also continue to investigate the extent of the incident. We have notified and are working with law enforcement. We are also notifying relevant regulatory authorities with respect to unauthorized access to personal information,” it said.
“As of the date of this filing, the incident has not had a material impact on the Company’s operations. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”
In July last year, Microsoft revealed a China-based APT group acquired and used a private encryption key to forge authentication tokens to access the cloud-based email accounts of at least two dozen organizations.
Among the organizations compromised through the group’s access to Microsoft 365 accounts were the U.S. State and Commerce departments, with Secretary of Commerce Gina Raimondo’s email account among those compromised.