Microsoft has provided an update on a sophisticated, ongoing cyber attack by a Russian state-sponsored hacking group known as Midnight Blizzard or Nobelium. The attack, first detected in January 2024, has escalated significantly in recent weeks as the hackers attempt to leverage stolen data to breach Microsoft's internal systems and source code repositories.
In a blog post, Microsoft revealed that Midnight Blizzard infiltrated the company's corporate email system on January 12th, allowing the hackers to exfiltrate sensitive data and secrets. While customer-facing systems have not been compromised yet, the hackers are using the stolen information to launch increasingly aggressive password spraying attacks against Microsoft's systems.
"It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found," Microsoft stated. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures."
The frequency of password spray attacks, where common passwords are tried across many accounts, increased tenfold in February compared to January as Midnight Blizzard ramps up its malicious efforts. Microsoft warns the attack "is characterized by a sustained, significant commitment of the threat actor's resources, coordination, and focus."
Midnight Blizzard, active since at least 2018, is a renowned hacking collective backed by Russian foreign intelligence. It primarily targets government agencies, NGOs, and tech companies in the US and Europe with the goal of espionage and intelligence gathering to support Russian interests.
The group excels at compromising legitimate accounts and authentication systems to evade detection while expanding illicit access within targeted organizations.
In this case, Midnight Blizzard abused legacy authentication protocols and hijacked Microsoft's own security tools like OAuth applications to infiltrate the company's defences.
While the full extent of the breach is still being investigated, Microsoft states it has already implemented enhanced security controls, monitoring, and threat detection capabilities to counter Midnight Blizzard's relentless onslaught.
"Across Microsoft, we have increased our security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat," the company stated.
The incident underscores the stark cybersecurity threats facing major tech firms from well-resourced nation-state actors. Microsoft notes, "This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks."