Microsoft Breach: Midnight Blizzard Strikes Again

According to Microsoft, the hacking group known as “Midnight Blizzard” recently infiltrated some of the company’s internal systems and source code repositories using stolen authentication secrets obtained during a cyberattack in January.

Earlier this year, Microsoft disclosed that Midnight Blizzard, also known as NOBELIUM, had breached corporate email servers by conducting a password spray attack, gaining access to a non-production test tenant account lacking multi-factor authentication.

Further investigation revealed that this test account also had access to an OAuth application with elevated privileges within Microsoft’s corporate environment, enabling the threat actors to infiltrate and extract data from corporate mailboxes, including those belonging to Microsoft’s leadership team, cybersecurity personnel, and legal staff.

Microsoft suspects that the threat actors breached these email accounts to ascertain what information Microsoft possessed about them.

Recently, Microsoft observed evidence indicating that Midnight Blizzard has been leveraging stolen data to access some of the company’s systems and source code repositories. Despite this breach, Microsoft assures that no evidence suggests any compromise of its customer-facing systems hosted by the company.

While Microsoft hasn’t specified the exact nature of the stolen “secrets,” it’s likely they include authentication tokens, API keys, or credentials.

Microsoft has initiated communication with customers whose secrets were exposed in stolen emails exchanged with the company, aiming to assist them in implementing mitigation measures.

In light of the heightened threat posed by Midnight Blizzard, Microsoft has heightened security measures across its organization to counter advanced persistent threat actors. Additionally, Microsoft is collaborating with federal law enforcement agencies in their ongoing investigation into the threat actor and the incident.

Midnight Blizzard, also referred to as Nobelium, APT29, and Cozy Bear, is a state-sponsored hacking group associated with Russia’s Foreign Intelligence Service (SVR). The group gained notoriety following the 2020 SolarWinds supply chain attack, which compromised numerous companies, including Microsoft, enabling the theft of source code for specific Azure, Intune, and Exchange components.

In June 2021, the hacking group once again breached a Microsoft corporate account, accessing customer support tools. Since then, the group has been linked to various cyberespionage attacks targeting NATO and EU countries, focusing on embassies and government entities. Additionally, Nobelium is known for developing customized malware for its operations.

Happy Hunting!

— j1nx