Microsoft said today that it was hacked by a "Russian state-sponsored actor" called Midnight Blizzard, also known as Nobelium. That's the same group of hackers suspected to be responsible for the major SolarWinds supply chain hack that occurred in 2020.
"Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents," Microsoft wrote.
"The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed."
Microsoft said it detected the attack on January 12. It didn't elaborate on what information Midnight Blizzard/Nobelium may have been looking for, but there's a long history between the two. In 2021, following the SolarWinds hack, Microsoft posted a four-part blog/video series on the group that "pulls the curtain back on the NOBELUM incident and how world-class threat hunters from Microsoft and around the industry came together to take on the most sophisticated nation-state attack in history."
Microsoft has also taken an active role in combatting Russian cyber-attacks against Ukraine.
"Password spraying" is a brute force attack in which a hacker hits known valid usernames with common passwords in the hope that someone got lazy and used something like "1234." Automated systems are often used to roll through a large number of passwords in a relatively short amount of time, and it's tough to defend against because it doesn't exploit vulnerabilities in systems, but in users.
From the website of online security company Login Radius:
Hackers can go after specific users and cycles using as many passwords as possible from either a dictionary or an edited list of common passwords. Password spraying is not a targeted attack, it is just one malicious actor acquiring a list of email accounts or gaining access to an active directory and attempting to sign in to all the accounts using a list of the most likely, popular, or common passwords until they get a hit.
The key takeaway from password spraying is that user accounts with old or common passwords form the weak link hackers can exploit to gain access to the network. Unfortunately, password spraying attacks are frequently successful because so many account users fail to follow the best password protection practices or choose convenience over security.
Microsoft said essentially the same thing, noting that the attack "was not the result of a vulnerability in Microsoft products or services." There's currently no evidence that hackers gained access to "customer environments, production systems, source code, or AI systems," and it will notify customers if and when any further action is required.
Even if that's the case, the hack will have an impact: Microsoft said the proliferation of state-sponsored hackers has forced it to reassess "the balance we need to strike between security and business risk," and that it will immediately apply "current security standards to Microsoft-owned legacy systems and internal business processes."
"This will likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy."
Microsoft has been at the center of numerous major hacks in recent years. In 2021, the US and other NATO nations accused China of sponsoring Microsoft Exchange Server hacks, and in 2022 a Lapsus$ attack resulted in the theft of Bing and Cortana source code. In 2023, its Azure platform was breached by a Chinese hacking group that was able to gain access to user email accounts; that led Tenable chairman and CEO Amit Yoran to accuse the company of a "repeated pattern of negligent cybersecurity practices, which has enabled Chinese espionage against the United States government."