Russia’s Midnight Blizzard Accesses Microsoft Source Code

Written by

A notorious Russian state-backed APT group has accessed Microsoft source code and internal systems in an ongoing campaign that was first discovered in early January.

Microsoft revealed the news in a blog post on Friday, explaining that the Midnight Blizzard group (aka Nobelium, APT29, Cozy Bear) was detected using the secrets it stole in earlier email-focused attacks.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” Microsoft said.

“This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”

Read more on Microsoft security strategy: Microsoft Takes on Cyber-Threats with New Secure Future Initiative

APT29 is using different types of secret information in its attacks, the tech giant added.

“Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” it added.

“Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.”

Password spraying involves threat actors trying commonly used and easy-to-guess passwords to unlock multiple accounts at once.

It was used in the January attacks to compromise a small number of potentially highly sensitive email accounts belonging to members of the Microsoft senior leadership team, as well as staff in the firm’s cybersecurity, legal and other functions.

It’s believed that the group, which is linked to Russia’s foreign intelligence service (SVR), was trying to ascertain what Microsoft’s threat intelligence experts know about it.

“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” the tech giant said.

“It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”

What’s hot on Infosecurity Magazine?