Senior corporate Microsoft executives, cybersecurity, and legal employees’ email accounts and systems were hacked by Midnight Blizzard, a Russian advanced persistent threat (APT) group tied to Russia’s External Intelligence Service (SVR). Microsoft detected the attack from the Russian hacking group on January 12 and immediately activated steps to mitigate the attack, per a Securities and Exchange Commission filing.
Microsoft reported that Midnight Blizzard “used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts.” The compromised email accounts were then used to exfiltrate email and attached documents containing information about Midnight Blizzard.
Midnight Blizzard is known as Nobelium, APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes. The names are usually assigned by different cybersecurity threat intelligence tracking firms. Midnight Blizzard is a Russian state-sponsored actor, meaning it performs cyber hacking and activities on behalf of or with the participation of the Russian government, according to Microsoft.
According to Microsoft, no customer action is required at this time, as no customer environments appear to be affected.
“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” the company said in a statement.
Midnight Blizzard – or Cozy Bear, as the most popular name variant – was most notably responsible for the SolarWinds supply chain compromise. The number of high-profile breaches against Microsoft has led the company to overhaul the default Azure security controls it offers enterprise customers to help mitigate attacks.
