Microsoft's security team has revealed that they detected a nation-state attack on their corporate systems on January 12, 2024. They swiftly activated their response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. The identified threat actor is Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium. This disclosure aligns with Microsoft's commitment to responsible transparency, as reaffirmed in their Secure Future Initiative (SFI).
The attack began in late November 2023 when the threat actor employed a password spray attack to compromise a legacy non-production test tenant account, thus gaining a foothold. Subsequently, they utilized the account's permissions to access a small percentage of Microsoft corporate email accounts, including those belonging to members of the senior leadership team and employees in cybersecurity, legal, and other functions. Some emails and attached documents were exfiltrated. Microsoft is in the process of notifying employees whose email was accessed.
Importantly, Microsoft emphasizes that the attack did not exploit vulnerabilities in their products or services. Thus far, there is no evidence that the threat actor accessed customer environments, production systems, source code, or AI systems. Customers will be promptly notified if any action is required.
This incident underscores the ongoing risk posed by well-resourced nation-state threat actors like Midnight Blizzard. Microsoft acknowledges the need to recalibrate the balance between security and business risk in the face of such threats. The traditional calculus is deemed insufficient, prompting Microsoft to accelerate their security standards application to legacy systems and internal business processes, even if disruptions to existing processes may ensue.
While these changes may cause some level of disruption, Microsoft deems them necessary and only the initial steps in embracing a new security philosophy. The company continues its investigation and pledges to take further actions based on the investigation's outcomes. Collaboration with law enforcement and relevant regulators remains ongoing.
Microsoft reiterates its commitment to sharing information and learnings with the community to bolster collective security. Additional details will be provided as deemed appropriate.
https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/