Microsoft has issued an alert revealing that Russian hackers, previously linked to significant breaches of U.S. government security, are presently exploiting confidential information obtained from Microsoft’s systems in November. They’re using this pilfered data to infiltrate the company’s networks.
The Microsoft Security Team has detected recent activities by a cyber-espionage group believed to be associated with Russia’s Foreign Intelligence Service (SVR). This group, dubbed Midnight Blizzard, is employing data stolen during the November incident — identified in January — to attempt unauthorized access.
Unauthorized access attempts include trying to infiltrate source code repositories and internal systems. However, there’s no evidence to suggest that customer-facing systems hosted by Microsoft have been compromised.
Microsoft identifies the espionage unit as Midnight Blizzard, a group the U.S. government links to the SVR. Midnight Blizzard has been observed leveraging various confidential information, including communications between Microsoft and its customers. Microsoft is proactively reaching out to affected customers as they uncover such information in the stolen emails, assisting them in implementing protective measures.
The operations of Midnight Blizzard have intensified, with tactics such as “password sprays” — using discovered passwords across multiple accounts to gain access. They’re likely using the stolen information to map out potential attack vectors and refine their strategies. Microsoft’s ongoing investigation indicates a significant level of resource commitment, coordination, and focus by the attackers.
Microsoft has communicated these developments to the Securities and Exchange Commission (SEC) through official filings mirroring the details shared in their blog post.
Midnight Blizzard, also known in the cybersecurity community as Cozy Bear, BlueBravo, and APT29, gained notoriety with the SolarWinds attack in 2020, accessing major corporations and several U.S. government departments.
The attack unfolded in late November 2023 when hackers accessed email accounts of Microsoft’s top executives and employees in cybersecurity and legal roles through a compromised test account. They stole emails and documents in search of operational information. Microsoft faced criticism for not fully explaining the transition from compromised “non-production test accounts” to the inboxes of senior leaders.
Recently, Britain’s National Cyber Security Centre (NCSC) and the Five Eyes alliance cautioned that the SVR is refining its hacking techniques to penetrate organizations transitioning to cloud-hosted networks. Over the past year, these hackers have been found stealing access tokens issued by systems, which can lead to account compromises, especially when personal, unmanaged devices are used to access corporate resources.
