Microsoft's source code repositories and internal systems were accessed by a Russian state-sponsored threat actor, the software maker said in a March 8 update for a case in January where its email systems were infiltrated to steal data.
As Microsoft shared on Jan. 19, its threat intelligence team identified Midnight Blizzard as the Russian state-sponsored threat actor also known as Nobelium. The group also goes by APT29 and Cozy Bear, best known for being a part of the 2016 attack on the Democratic National Committee.
Microsoft added that Midnight Blizzard has increased the volume of some aspects of the attack — such as password sprays — by as much as 10-fold in February, compared with the already large volume Microsoft saw in January. Microsoft indicated it will continue to publish updates as it learns more about the attack.
“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” wrote Microsoft. “It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”
The increasing trend of targeting source code and development infrastructure and the software supply chain in general is something I have been warning about for a while, said Ken Westin, Field CISO at Panther Labs.
“Gaining access to email systems is just the initial part of the attack,” explained Westin. “The real value is in the compromise of source code where attackers can identify new vulnerabilities to exploit or potentially inject their own into code to infect systems downstream. I expect these attacks to increase not only in volume, but also in sophistication.”
John Bambenek, president at Bambenek Consulting, added that whenever something like source code gets stolen, incident responders have to start thinking about how threat actors can use the information to attack the organization and its customers.
“Attackers naturally gravitate towards credentials so defenders can put more strict monitoring on the underlying accounts to look for misuse, after rotating the keys or passwords, of course,” said Bambenek. “That seems to be what’s driving the additional insights Microsoft provided this morning. However, unlike traditional expulsion events in incident response where we simply close all the doors opened by an attacker, source code and secret theft requires ongoing monitoring, remediation, and response months after the breach was mitigated.”