Microsoft acknowledges being hacked for the second time this year, by the same Russia state-sponsored group Midnight Blizzard. The company confirms that this new breach is the outcome of the previous one, as hackers were able to get their hands on access secrets.
Microsoft Hacked, Source Code Leaked
In its K-8 filing to SEC, Microsoft claims the relation of the latest hack to the one that was uncovered in January 2024. A Russian threat actor known as Nobelium/Midnight Blizzard managed to hack into Microsoft systems. The hack happened around November, with hackers staying inside for until January. This eventually resulted in adversaries gaining access to the emails of executives and certain authentication tools. And it turns out that attackers managed to take away some of the authentication secrets even after being discovered.
In the latest attack, Midnight Blizzard used these leaked auth secrets to get into the Microsoft internal networks once again. The same K-8 filing discloses the facts of hackers getting access (or at least attempting to) using the said leaked keys. Among particular systems under attack are source code repositories and some of the internal systems. Microsoft warns that the unauthorized access may happen repeatedly in future, meaning that they do not know the exact scale of auth secrets leak.
Microsoft in K-8 filing
One fortunate thing though is that customer-facing assets and their data was not compromised. And this is most likely true, as the previous attacks mainly concentrated on top-tier executives, who barely have access to customer data. And this is a big relief: the scale of consequent attacks due to the data leaked from Azure, Outlook or other cloud services could have been tremendous. Still, no excuses for such a large company to fall victim to hackers.
Who is Midnight Blizzard?
Nobelium/APT29/Fancy Bear or Midnight Blizzard, by the new Microsoft classification, is a Russian state-sponsored threat actor. It mainly aims at cyber espionage, being led by the Russian External Intelligence Agency (SVR). The group is known for picking loud targets for its attacks, particularly government agencies, military contractors and the like.
Microsoft became their point of interest back in 2022, when they managed to hack an auxiliary SSO system for Windows Server. 2023 though has become a year of a “proper” hack. Back in November 2023, APT29 managed to stay in the network for quite some time, compromising a lot of different internal systems. Considering the uncertainity regarding the amount of compromised elements, they will certainly repeat.