- Microsoft plans to make significant changes to its internal security practices after disclosing a hack by the Russia-affiliated threat group Midnight Blizzard, which stole emails and other data from senior-level Microsoft executives and other employees, the company said Friday in a filing with the Securities and Exchange Commission.
- The hackers compromised a legacy non-production test tenant account to gain access to the company, Microsoft said. The threat actor used the account’s permissions to reach a “very small percentage” of emails and attachments of senior executives and employees in the cybersecurity, legal and other departments.
- The actor, formerly known as Nobelium, was behind the 2020 Sunburst attacks against SolarWinds and other companies. U.S. authorities raised alarms about Midnight Blizzard in December after the actor was found exploiting unpatched vulnerabilities in JetBrains TeamCity servers across the globe.
Security researchers and other analysts say the attack raises serious questions about the security of Microsoft products and whether the company is employing the same practices internally that it demands of customers.
Beginning in late November, the attackers used a password-spray attack to gain access to Microsoft’s environment. The attacks were not discovered until Jan. 12, and Microsoft said the attackers were seeking to find out what information Microsoft had on Midnight Blizzard.
Adam Meyers, SVP of counter adversary operations at CrowdStrike, noted that Microsoft has been the subject of serious attacks involving its cloud environment in recent years. This includes last year's hack involving thousands of emails at the U.S. State Department and the Department of Commerce.
“I can tell you as somebody who works at a security company, our executives do not reside on legacy tenants with no multifactor authentication,” Meyers said.
Microsoft, in a blog post on Friday, admitted that it needs to rapidly update its internal security practices after it announced the Secure Future Initiative in November.
“We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business practices,” the company said in the blog post.