Microsoft has revealed that the Russian state-sponsored hacking group Midnight Blizzard gained access to internal systems and source code repositories during a cyberattack in January.
The tech giant said its security team detected the attack on January 12, 2024 and activated its response process to prevent any further access to its systems and mitigate potential damage.
Identified as Midnight Blizzard, the group is believed to have used a password spraying attack to compromise a legacy, non-production test tenant account and gain initial access.
From here, attackers were able to access a small percentage of Microsoft's corporate email accounts, including its senior leadership team and staff in its legal, security and other functions, according to an update published on January 19. .
The update added that the attack was not the result of a vulnerability in Microsoft products or services.
In its latest update, published on March 8, 2024, Microsoft said it has seen evidence that the group is using information extracted from its corporate email systems to attempt to gain unauthorized access to both Microsoft and customer networks. .
“It is clear that Midnight Blizzard is trying to use secrets of different types that it has found,” the company said in a blog post. “Some of these secrets were shared between customers and Microsoft via email and, as we discovered them in our exfiltrated files, email, we have been and are reaching out to these customers to help them take mitigation measures.”
The company described the attack as characterized by a sustained and significant commitment of the group's resources, coordination and focus. It was speculated that threat actors could be using the information to build a better picture with which to plan future attacks or improve their offensive capabilities.
Microsoft also noted that Midnight Blizzard has increased the volume of certain aspects of the attack, such as password spreading, by approximately a factor of ten in February, compared to levels seen in January.