Russian Spies Brute Force Senior Microsoft Staff Accounts

Written by

Russian state hackers managed to compromise the email accounts of some of Microsoft’s senior leadership team, using basic brute-force techniques, the tech giant has admitted.

Microsoft revealed on Friday that the “Midnight Blizzard” group (aka Nobelium, APT29, Cozy Bear) was detected on its systems on January 12.

The fact that brute-force tactics worked indicates that the compromised email accounts were not protected with multi-factor authentication (MFA) – a major oversight for senior leaders at one of the world’s leading technology companies. Password spray attacks involve threat actors trying commonly used and easy-to-guess passwords to unlock multiple accounts at once.

“Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” Microsoft said in a post.

“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.”

Read more about Microsoft: Microsoft Accused of Negligence in Recent Email Compromise

Microsoft added that there’s no evidence the state hacking group, which is thought to be linked to Russia’s foreign intelligence service (SVR), accessed customer environments, production systems, source code or AI systems.

However, it did admit that the incident will force it to accelerate plans to implement a major new internal cybersecurity program; the Secure Future Initiative.

“We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes,” the post explained.

“This will likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy.”

What’s hot on Infosecurity Magazine?