Microsoft says Russian hackers stole source code after spying on its executives
Microsoft revealed earlier this year that Russian state-sponsored hackers had been spying on the email accounts of some members of its senior leadership team. Now, Microsoft is disclosing that the attack, from the same group behind the SolarWinds attack, has also led to some source code being stolen in what Microsoft describes as an ongoing attack.
“In recent weeks, we have seen evidence that Midnight Blizzard [Nobelium] is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” explains Microsoft in a blog post. “This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”
It’s not clear what source code was accessed, but Microsoft warns that the Nobelium group, or “Midnight Blizzard,” as Microsoft refers to them, is now attempting to use “secrets of different types it has found” to try to further breach the software giant and potentially its customers. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” says Microsoft.
Nobelium initially accessed Microsoft’s systems through a password spray attack last year. This type of attack is a brute-force approach where hackers utilize a large dictionary of potential passwords against accounts. Microsoft had configured a non-production test tenant account without two-factor authentication enabled, allowing Nobelium to gain access.
“Across Microsoft, we have increased our security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat,” says Microsoft. “We have and will continue to put in place additional enhanced security controls, detections, and monitoring.”
The attack on Microsoft initially took place just days after the company announced its plan to overhaul its software security following serious Azure cloud attacks. Microsoft has been at the center of several high-profile security attacks in recent years, including 30,000 organizations’ email servers getting hacked in 2021 due to a Microsoft Exchange Server flaw and Chinese hackers breaching US government emails via a Microsoft cloud exploit last year.
Microsoft is still investigating Nobelium’s latest attacks on its systems. “Our active investigations of Midnight Blizzard activities are ongoing, and findings of our investigations will continue to evolve,” says Microsoft. “We remain committed to sharing what we learn.”