Russia-linked Midnight Blizzard breached Microsoft systems again

Microsoft revealed that Russia-linked APT group Midnight Blizzard recently breached its internal systems and source code repositories.

Microsoft published an update on the attack that hit the company on January 12, 2024, the IT giant revealed that the Russia-linked Midnight Blizzard recently breached again its internal systems and source code repositories.

In January, Microsoft warned that some of its corporate email accounts were compromised by the group Midnight Blizzard, the company notified law enforcement and relevant regulatory authorities.

The Midnight Blizzard group (aka APT29SVR groupCozy BearNobeliumBlueBravo, and The Dukes) along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections. The group is known for the SolarWinds supply chain attack that in 2020 hit more than 18,000 customer organizations, including Microsoft.

The state-sponsored hackers first compromised the company systems in late November 2023 with a password spray attackPassword spraying is a type of brute force attack where the attackers carry out brute force logins based on a list of usernames with default passwords on the application. In this attack scenario, threat actors use one password against many different accounts on the application to avoid account lockouts that would normally trigger when brute forcing a single account with many passwords.

Microsoft revealed that the threat actors gained access to a legacy non-production test tenant account and used the account’s permissions to access a very small percentage of Microsoft corporate email accounts. The attackers gained access to the accounts of members of the company’s senior leadership team and employees in cybersecurity, legal, and other functions. The company also confirmed that attackers have exfiltrated some emails and attached documents. The APT group initially targeted email accounts to gather intelligence on investigations conducted by Microsoft on Midnight Blizzard’s activities. Microsoft is notifying impacted employees.  

The company pointed out that the attackers did not exploit any vulnerability in Microsoft products or services. Microsoft also added that there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.

The update published by Microsoft today revealed that the APT Midnight Blizzard beached again some of its systems and code repositories using the secrets found in the data exfiltrated in the January attack.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.” reads the update

“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.” 

The IT giant reported that Midnight Blizzard significantly escalated its malicious activity against Microsoft. Experts observed that password spray attacks increased by up to ten times compared to the already substantial volume observed in January 2024.

The ongoing attack orchestrated by Midnight Blizzard is marked by a prolonged and intense dedication of the threat actor’s resources, coordination, and focus. The attackers likely used information stolen in previous attacks to gather intelligence on potential targets and to strengthen their capabilities accordingly. This mirrors a broader trend of an unprecedented global threat landscape, particularly in the realm of sophisticated nation-state attacks.

Microsoft states that it is still investigating Midnight Blizzard activities and will share what they learn.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Midnight Blizzard)