Microsoft on Friday announced that it was a victim of a nation-state attack carried out by a Russian hacker group wherein its corporate email system was targeted.
In a blog post, Microsoft said that Russian hackers gained access to a “small percentage” of employee email accounts, including members of several senior executives as well as employees in the company’s cybersecurity, legal, and other functions. It also added that some emails and attached documents were stolen.
Microsoft said the intrusion began in late November and was discovered on January 12, 2024. The company has identified the threat actor behind the attack as Midnight Blizzard, a Russian state-sponsored actor also known as Nobelium. This is also the same group that was behind the SolarWinds cyberattack in 2020.
The company further said that the hacker group used a password spray attack to compromise a legacy non-production test tenant account, thereby successfully gaining access to a number of corporate email accounts.
As soon as the activity was detected, Microsoft immediately activated its response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. The company is also in the process of notifying employees whose email was accessed.
In a regulatory filing Friday with the U.S. Securities and Exchange, Microsoft said it was able to remove the threat actor’s access to the email accounts on or about January 13, 2024.
“We are examining the information accessed to determine the impact of the incident. We also continue to investigate the extent of the incident. We have notified and are working with law enforcement. We are also notifying relevant regulatory authorities with respect to unauthorized access to personal information. As of the date of this filing, the incident has not had a material impact on the Company’s operations,” it wrote in its regulatory filing.
According to Microsoft, the attack was not the result of a vulnerability in Microsoft products or services. It further added that the company has so far no evidence of the threat actor having any access to customer environments, production systems, source code, or AI (artificial intelligence) systems.
However, it is taking steps to act immediately to apply its current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes, it added.