In a sobering update released March 8th, Microsoft has revealed that the Russian state-sponsored hacking group Midnight Blizzard, also tracked as Nobelium, has gained unauthorized access to some of the company's source code repositories and internal systems. This follows an initial breach of Microsoft's corporate email systems detected in January 2024.
According to the Microsoft Security Response Center's blog post, the tech giant recently observed: "Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company's source code repositories and internal systems."
Thankfully, Microsoft stated, "To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised." However, Microsoft acknowledged the attackers are actively leveraging various types of secrets and credentials illicitly obtained from the hacked email communications.
"It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures," the update explained.
The unrelenting nature of the attack campaign was also detailed, with Microsoft observing a "10-fold" increase in certain attack volumes like password spraying in February compared to January levels. "Midnight Blizzard's ongoing attack is characterized by a sustained, significant commitment of the threat actor's resources, coordination, and focus," Microsoft warned.
Microsoft is now enhancing security controls, detections, and monitoring capabilities to defend against this "advanced persistent threat" while its investigations into the full scope and impact continue.
The incident underscores the stakes involved when highly-sophisticated adversaries like Midnight Blizzard successfully breach a technology provider as pivotal as Microsoft. Several cybersecurity experts weighed in on the gravity of the situation.
"Whenever something like source code is stolen, incident responders have to start thinking about how that information can be used to attack the organization and customers," said John Bambenek, President at Bambenek Consulting. "Unlike traditional expulsion events in IR where you simply close all the doors opened by an attacker, source code and secret theft requires ongoing monitoring, remediation, and response months after the breach was mitigated."
Tim Callan, Chief Experience Officer at Sectigo, highlighted how these breaches often originate from basic credential compromises initially. "It's worth noting that this exploit originates with the same basic credentials compromises that we see in nearly all attacks of this nature. Stronger authentication methods, including PKI-based authentication, are our single most powerful defense against these breaches."
Omri Weinberg, Co-Founder and CRO at DoControl, emphasized that endless attack campaigns are an inevitability organizations must be prepared to defend against. "Companies, and mostly management teams or boards, need to understand that they must invest more money in their security posture. It's a never-ending chess game in which you always need to be one step ahead of the attacker."
As Microsoft's investigations continue, the cybersecurity community will watch closely for any developments relating to this major incident's widespread ramifications. At stake are Microsoft's closely guarded intellectual property, the security of its ubiquitous products and services, and the protection of its enterprise customers' sensitive data and systems.
Follow SecureWorld News for more stories related to cybersecurity.
