Microsoft Corp.’s security team has disclosed that Microsoft was targeted by a Russian-linked hacking group and that a small number of email accounts, including those belonging to senior staff, were compromised.

The attack was detected on Jan. 12, with a response plan immediately implemented to disrupt the activity and investigate what had happened. The investigation subsequently identified the threat actor behind the attack as a group Microsoft calls Midnight Blizzard, but is more commonly referred to as Nobelium.

Nobelium is the same group behind the attacks on SolarWinds WorldWide LLC, which started in 2019 but were first detected in December 2020. And the company that traced Nobelium to SolarWinds and issued warnings about the group was Microsoft.

The history is pertinent as to why Microsoft was targeted by the group several years later. The email addresses breached at Microsoft included those belonging to the senior leadership team, legal department and most notably employees in Microsoft’s cybersecurity team.

Microsoft’s investigation found that beginning in late November, the threat actor used a password spray attack to compromise a legacy nonproduction test tenant account to gain a foothold and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts. Password-spraying is a type of cyberattack where an attacker attempts to gain unauthorized access to many accounts by using a few commonly used passwords. Someone at Microsoft clearly was not following advice on using unique passwords.

The investigation also found that Nobelium was looking for information about itself, further suggesting that the attack was targeted and personal.

The Microsoft Security Response Center notes that though some emails and attached documents were exfiltrated, there is no evidence that the threat actor had any access to customer environments, production systems, source code or artificial intelligence systems. Any customer that is found to be affected will be notified by Microsoft.

To Microsoft’s credit, not only was it upfront in disclosing that it was the victim, but it’s also using it as proof of the continued risk posed by threat groups such as Midnight Blizzard/Nobelum.

“Given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient,” the Microsoft security team writes. “For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”

Image: DALL-E 3