Microsoft disclosed on Jan. 19 that a nation-state backed attack occurred beginning in November 2023 in which the Russian state-sponsored threat actor group Midnight Blizzard accessed some Microsoft corporate emails and documents through compromised email accounts.
The attackers gained access in November 2023 using a legacy test tenant account. From there, they could use that account’s permissions to access a small number of Microsoft corporate email accounts – some of those accounts were for senior leadership team members. Other individuals whose email accounts were accessed work on the cybersecurity and legal teams, among other functions.
“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” wrote the Microsoft Security Response Center team in the Jan. 19 blog post.
“The attack was not the result of a vulnerability in Microsoft products or services,” the Microsoft team wrote. “To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.”
Update: On Jan. 24, HPE made public a Jan. 19 filing that shows HPE was also breached by the Midnight Blizzard gang. The group took data from HPE’s cloud-based email environment starting in May 2023. Compromised email accounts belonged to people in “cybersecurity, go-to-market, business segments, and other functions.” HPE’s investigation is ongoing. HPE has not released further details about the attacks or determined whether the attacks on HPE and Microsoft are related.
How did Midnight Blizzard access Microsoft email accounts?
The Midnight Blizzard threat actor group used a technique called a password spray attack. Password spraying is a brute force attack in which threat actors spam or “spray” commonly used passwords against many different accounts in one organization or application.
How to defend against password spray attacks
The threat of a password spray attack is a good opportunity to be sure that your organization is using multifactor authentication, keeping tabs on older lapsed and test accounts and running up-to-date SIEM software.
Password spray attacks may be marked by a sharp increase in the number of bad password attempts or by unusually evenly-spaced times between attempts. This kind of attack may be effective if users are not forced to change their passwords on first login. Rigorous login detection, strong lockout policies and password managers can cut down on the chance of a password spray attack.
SEE: These are today’s trends in ransomware, network infrastructure attacks and other cyber threats. (TechRepublic)
“Companies should prioritize educating employees on the benefits of robust passwords and 2FA, as well as the hallmarks of social engineering attacks, malicious links and attachments, and the dangers of insecure password sharing,” said Gary Orenstein, chief customer officer at credential management provider Bitwarden, in an email to TechRepublic. “Build awareness into the culture of the organization through simulations or interactive modules to instill better security habits and reinforce a resilient cybersecurity posture.”
Challenges when facing nation-state actors
State-sponsored attacks are a top cybersecurity threat in 2024. These attacks highlight the need for thorough incident response plans and threat intelligence monitoring, especially among organizations that might be specifically targeted, such as big tech or infrastructure.
In regards to nation-state actors specifically, Microsoft said attacks like the recent password spraying attack caused the company to change “the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient.”
“For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes,” Microsoft wrote.
Editor’s note: When TechRepublic contacted Microsoft for more information, the tech giant pointed us to its blog post.