Midnight Blizzard, also known as APT29 or Cozy Bear, operates under Kremlin support and poses a significant threat. Following a breach detected in January 2024, they infiltrated Microsoft’s internal systems and accessed portions of its source code.
“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain unauthorized access,” the tech company said.
“This has included getting into some of the company’s internal systems and source code repositories.” So far, there is no evidence indicating that customer-facing Microsoft systems have been compromised.”
Redmond is currently investigating the extent of the breach. The statement suggests that the Russian state-sponsored threat actor is attempting to leverage various secrets, including emails from customers to Microsoft.
However, the disclosure did not specify the nature of the secrets or the magnitude of the breach. The company did mention reaching out directly to individuals affected, but details about which source code was accessed remain unclear.
Microsoft has announced an increased investment in security measures. The attacker escalated the number of password spray attacks by up to 10 times in February compared to January, a period already marked by a significant volume of attacks.
“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” it stated.
“It might be using the information it has gathered to build a picture of targets and make it easier for itself to attack them.” Highlighting a shift in the global threat landscape to an unprecedented level, particularly with the rise of sophisticated attacks orchestrated by nation-states.
According to reports, the Microsoft breach occurred in November 2023. Midnight Blizzard employed a password spray attack to gain access to an old, non-production test tenant account lacking multi-factor authentication (MFA).
In late January, the tech giant disclosed that APT29 had targeted other companies utilizing various initial access methods, including stolen credentials and supply chain attacks.
Midnight Blizzard is widely perceived as an arm of Russia’s Foreign Intelligence Service (SVR), having operated since at least 2008 and earning recognition as one of the most active and adept hacking groups. Their exploits include infiltrating high-profile targets like SolarWinds.
“Microsoft’s breach by Midnight Blizzard is a strategic blow,” stated Amit Yoran, CEO of Tenable, in a comment to The Hacker News. Midnight Blizzard isn’t merely a small-scale criminal outfit; their organization boasts considerable skill and backing from Russia. They possess the understanding to exploit leaked information to inflict maximum damage.
Given Microsoft’s ubiquitous presence, the company bears a heightened responsibility to be transparent and forthcoming, a sentiment echoed by Yoran. However, there remains a lack of transparency regarding the compromised source code. These breaches appear interconnected, and Microsoft’s opaque security practices and ambiguous disclosures seem designed to obfuscate the full extent of the situation.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.