Microsoft disclosed that it recently fell victim to a cyberattack by Nobelium, the Russian state-sponsored hacking group infamously responsible for the 2020 SolarWinds supply chain attack. The breach, detected on January 12th, allowed the hackers to access email accounts belonging to members of Microsoft's senior leadership team.
While details remain limited, Microsoft stated that Nobelium, also known as Midnight Blizzard, leveraged a simple password spray attack to compromise an unsecured legacy account back in November 2023. From there, the persistent threat actors stealthily moved laterally, ultimately accessing sensitive corporate emails and documents over the course of several months.
This latest high-profile breach underscores that even with extensive resources and security expertise, major technology firms can still fall prey to sophisticated nation-state actors.
Omri Weinberg, Co-Founder and CRO at DoControl, offered his perspective on the incident:
"It's increasingly clear that nation-state actors can and will go after private sector companies if it creates value or an advantage for them. While Microsoft had announced intent to provide defenses against nation-state threat actors in their SFI announcement, this attack should remind all organizations that they are not excluded from potential nation-state level attacks."
Though the attack was initially focused on gathering intelligence on the hacking group itself, there are still open questions about the extent of data stolen. While Microsoft found no evidence yet of impacts on customers, production systems, or source code, the months of unauthorized access raises serious concerns.
According to Arie Zilberstein, CEO at Gem Security:
"Although conducted by a nation-state threat actor, this was not a sophisticated zero-day or supply chain attack—it was a relatively simple password spray attack. Surprisingly, the adversary managed to stay persistent in the cloud infrastructure for more than two months before being discovered."
Carol Volk, EVP at BullWall, said:
"So how big do you have to be to be secure? The apparent lack of 2FA and/or weak passwords by Microsoft's senior staff allowed the Russian hacking group Midnight Blizzard to read their emails, and that's the point here; anyone and everyone is vulnerable. It's not just the zero-days that get you, it's just that one hole in your defenses. In this case, an old fashioned 'password spray attack' worked just fine to let attackers in to read management emails.
Microsoft is lucky this time, as apparently the gang was searching emails to see what Microsoft was saying about them. They could have just as easily stolen or destroyed the data. Attackers can always find a way into a network, so regular, air-gapped backups and a rapid response ransomware containment system should be part of the complete defensive stack."
While this incident should certainly serve as a wake-up call for Microsoft and many other organizations, it is also a good time to check in on your senior leadership team and make sure that they too have MFA (multi-factor authentication) enabled on their accounts.
Follow SecureWorld News for more stories related to cybersecurity.