The Russian state-sponsored hackers responsible for the SolarWinds attack launched a nation-state attack against Microsoft’s corporate systems, the company disclosed last week. Some members of Microsoft’s senior leadership team had their email accounts compromised by hackers, who may have been snooping on them for weeks or months.
Microsoft released a preliminary investigation of how the hackers circumvented its security measures, even though the software company’s original SEC report late on Friday had little details about how the attackers obtained access. It also serves as a warning that other firms have been targeted by the same hacking outfit, commonly known as Nobelium or by the weather-themed nickname “Midnight Blizzard,” which Microsoft uses to refer to them.
Initially, Nobelium used a password spray assault to gain access to Microsoft’s servers. Hackers employ a dictionary of possible passwords in this kind of brute force attack against accounts. Crucially, two-factor authentication was not activated on the compromised non-production test tenant account. In order to avoid discovery, Microsoft claims that Nobelium “tailored their password spray attacks to a limited number of accounts, using a low number of attempts.”
The group identified and compromised a historical test OAuth application that had elevated access to the Microsoft corporate environment by using the access they had gained from the previous attack. A popular open standard for token-based authentication is OAuth. It’s a widely used web feature that lets you log into apps and services without giving your password to a website. OAuth is used on websites that you might be able to get into with your Gmail account.
The group was able to produce more malicious OAuth apps and accounts thanks to this higher access, which also gave them access to Microsoft’s corporate network and, eventually, its Office 365 Exchange Online service, which gives users access to email inboxes.
“Midnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts,” explains Microsoft’s security team.
Microsoft previously stated that it was “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” The company has not disclosed the exact number of its corporate email accounts that were targeted and accessed.
Additionally, Microsoft has yet to provide a precise timeframe for the duration of the hackers’ eavesdropping on its top leadership group and other staff members. Although the first attack happened in late November 2023, Microsoft didn’t become aware of it until January 12th. This could indicate that for almost two months, the attackers surveilled Microsoft leaders.
The same group of hackers had earlier this week gotten access to Hewlett Packard Enterprise’s (HPE) “cloud-based email environment.” Although HPE did not identify the supplier, it did disclose that the event was “probably connected” to the “exfiltration of a restricted quantity of [Microsoft] SharePoint documents as early as May 2023.”
The Microsoft hack happened a few days after the business declared its intention to restructure its software security in response to significant attacks on the Azure cloud. This is Microsoft’s most recent cybersecurity incident. A Microsoft Exchange Server vulnerability allowed 30,000 companies’ email systems to be compromised in 2021, and Chinese hackers used a Microsoft cloud attack last year to access emails belonging to the US government. The same Nobelium group that carried out this embarrassing executive email hack previously targeted Microsoft in the massive SolarWinds attack almost three years ago.
The cybersecurity community will probably take issue with Microsoft’s revelation that a crucial test account was operating without two-factor authentication. Although there was no software vulnerability in Microsoft, the hackers were able to stealthily navigate Microsoft’s corporate network thanks to a series of incorrectly set up test setups. “In an interview with CNBC earlier this week, George Kurtz, the CEO of CrowdStrike, questioned how the compromise of the highest ranking officials at Microsoft occurred in a non-production test environment.” “I believe there will be much more information released on this,”
Kurtz was correct; additional information has surfaced, but some crucial elements remain unreported. Microsoft asserts that in order to properly defend against these threats, “mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled” if this identical non-production test environment were implemented today. Microsoft still has a lot of explaining to do, particularly if it wants its users to think that it is genuinely making improvements to the way it develops, tests, builds, and runs its services and software to better defend against security risks.