Date: 13/3/2024
Where:
US, Russia
Who’s involved:
Microsoft corporation, APT29 AKA Midnight Blizzard or Cozy Bear (Russian State-Sponsored Threat Actor)
What happened?
On January 12th, Microsoft found that a threat actor had gained access to a legacy system that was not customer-facing in late November 2023. The threat actor was identified as having come from Russia. By logging into this system, they gained access to Microsoft corporate email accounts, though this was not disclosed at first.
A Microsoft report was issued on January 19th to consumers, claiming that the event was of no major significance and posed no threat to user account information.
On January 25th, Microsoft reported that Russian hackers had gained access to source code repositories during the earlier attack. This was more damaging than initially reported, with the threat actor accessing some of the company's internal systems.
Microsoft revealed that the volume of some tactics that were used in the attack had increased by as much as 10-fold in February compared to January 2024. This increase was attributed to the group using information initially exfiltrated from Microsoft's corporate email systems
On March 11th, an update from Microsoft indicated that the January attack by Russian hackers was more damaging than originally reported, with it now confirmed that the Midnight Blizzard (APT29) group accessed some of the company's internal systems and software source code.
Analysis:
Midnight Blizzard, once famously known in the media as Cozy Bear, is one of the oldest and most skilled offensive hacking groups affiliated with the Russian state. Active since at least 2008, they achieved fame as the group associated with both the 2016 Democratic National Convention intrusion attempts and the 2020 SolarWinds hack, which caused massive supply chain disruptions.
Achieving backdoor access to Microsoft applications, particularly Cloud deployments, presents a mother lode for Advanced Persistent Threats (APTs), as it could empower them to infiltrate thousands of organizations around the world. This would include defense, engineering, and software development firms. As well, a plurality of government departments in North America and Europe are reliant on Microsoft deployments.
Microsoft’s findings indicate that Midnight Blizzard had access to its systems for over two months before being detected.
The efficacy of brute-force tactics in this situation indicates that the compromised email accounts were not protected with multi-factor authentication (MFA).
The tactic that worked in the initial attack is known as “password spraying”, wherein a threat actor will make login attempts in bursts small enough to not trigger maximum login attempt warnings.
Conclusion:
The recent revelation by Microsoft about the breach conducted by the Russian state-backed group, Midnight Blizzard (APT29), marks another significant episode in the ongoing cyber conflict involving state-sponsored actors. This incident highlights the sophisticated tactics and persistent threats posed by these groups to global cybersecurity infrastructure.
On a more actionable level, This incident reinforces the importance of implementing strong security practices, such as multi-factor authentication (MFA), to protect against password spraying and other brute-force tactics.
The breach also signifies the interconnected nature of global cybersecurity, where an intrusion into one major entity like Microsoft can have far-reaching implications for countless organizations and governments. As such, collaborative efforts and information sharing between public and private sectors are essential to strengthen defenses and resilience against state-sponsored cyber activities.
As geopolitical tensions continue to manifest in the cyber realm, this event serves as a reminder of the evolving landscape of cyber warfare and espionage. Companies, especially those providing critical IT infrastructure like Microsoft, are prime targets and must remain at the forefront of cybersecurity efforts to protect not only their assets but also those of their clients worldwide.