Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Computing Giant Says Hackers Did Not Access Customer Data or Production Systems
Russian state hackers obtained access to the inboxes of senior Microsoft executives for at least six weeks, the computing giant disclosed late Friday afternoon.
See Also: OnDemand | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding
In a filing with U.S. regulators, Microsoft disclosed a late November attack that led to email and document exfiltration from the email accounts of “senior leadership” and employees in its cybersecurity and legal departments. It detected the attack on Jan. 12 and cut off hackers’ access “on or about Jan. 13.”
“To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” the company said.
Microsoft fingered the Russian state hacking group it tracks as Midnight Blizzard – formerly Nobelium – also known as APT29 and CozyBear. The White House in 2021 connected the group to Russian Foreign Intelligence Service after its hackers inserted a backdoor into IT infrastructure software developed by SolarWinds.
A representative for Microsoft did not immediately return a request for comment clarifying what constitutes Microsoft “senior leadership.”
Microsoft stock is currently down 0.42% in after-hours trading; Microsoft disclosed the incident after the market closed Friday.
The company in its regulatory disclosure says attackers executed a password spraying attack in late November, gaining access to “a legacy non-production test tenant account.” Password spraying is a technique in which hackers enter the same password guess into a number of accounts in an attempt to avoid account lockout by betting that at least one user uses a previously leaked password or has one that is easy to guess.
From that foothold, hackers were able to use the account permission to access “a very small percentage of Microsoft corporate email accounts.”
“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” Microsoft said.
It’s too early to determine whether the incident will materially impact the company’s financial condition or operations, the company also told regulators. It vowed to henceforth apply current security standards to legacy systems “even when these changes might cause disruption to existing business processes.”
With reporting from Information Security Media Group’s Michael Novinson in Massachusetts.