Microsoft has disclosed that the recent hack carried out by Russian government spies was not limited to the technology giant alone. In a new blog post, the company stated that the same group of hackers had targeted other organizations as well. As part of its standard notification procedures, Microsoft has initiated the process of informing these targeted entities.
Key Takeaway
Microsoft has revealed that the Russian hackers responsible for the recent intrusion also targeted other organizations. The extent of the targeting and the impact of the breach on these entities remain subjects of ongoing investigation.
Extent of the Targeting
It remains unclear how many organizations have been targeted by the Russian-backed hackers. Microsoft has not provided a specific number of victims it has notified so far, despite requests for comment.
Identification of the Hackers
Microsoft has identified the hackers as the group it calls Midnight Blizzard, which is widely believed to be working for Russia’s Foreign Intelligence Service, or SVR. Other security companies refer to the group as APT29 and Cozy Bear.
Details of the Intrusion
According to Microsoft, the intrusion was detected on January 12, with the hacking campaign commencing in late November. The hackers utilized a “password spray attack” on a legacy system that lacked multi-factor authentication. This technique involves attempting to brute-force access to accounts using commonly used passwords or a larger list of passwords from past data breaches.
Modus Operandi of the Attack
The hackers tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks. They further reduced the likelihood of discovery by launching these attacks from a distributed residential proxy infrastructure, thereby obfuscating their activity and enabling the attack to persist over time until successful.
Impact of the Breach
Once access was gained, the hackers targeted a small percentage of Microsoft corporate email accounts, specifically focusing on senior executives and individuals working in cybersecurity, legal, and other departments. The compromised accounts were used to steal some emails and attached documents. Interestingly, the hackers were also seeking information about what Microsoft knows about them.
Related Disclosure by Hewlett Packard Enterprise (HPE)
Hewlett Packard Enterprise (HPE) revealed that its Microsoft-hosted email system was also hacked by Midnight Blizzard. The company stated that the hackers accessed and exfiltrated data from a small percentage of HPE mailboxes starting in May 2023. However, it is currently unclear whether this breach is directly linked to the espionage campaign targeting Microsoft.