Microsoft confirmed on Friday that the state-sponsored hacking group known as Midnight Blizzard, linked to the Kremlin, successfully accessed some of its source code repositories and internal systems in a cyberattack that came to light in January 2024.
The tech giant acknowledged that Midnight Blizzard, also recognized as APT29 or Cozy Bear, utilized information initially exfiltrated from Microsoft’s corporate email systems to gain unauthorized access. While the breach included access to source code repositories and internal systems, Microsoft assured that there is no evidence of compromise to its customer-facing systems hosted by the company.
Microsoft is actively investigating the extent of the breach, highlighting that Midnight Blizzard is attempting to leverage various types of secrets obtained, including those exchanged between customers and Microsoft through email. The company has reached out to affected customers directly, although it did not disclose the nature or scale of the compromised secrets.
Although Microsoft did not specify which source code was accessed, it noted an increase in security investments and highlighted that Midnight Blizzard intensified its password spray attacks by up to 10 times in February compared to the already substantial volume observed in January.
The ongoing attack by Midnight Blizzard is characterized by a sustained and significant commitment of resources, coordination, and focus. Microsoft suggested that the threat actor may be using the obtained information to identify areas for future attacks and enhance its capabilities accordingly. The breach is part of a broader global threat landscape marked by sophisticated nation-state attacks.
The breach, which occurred in November 2023, involved Midnight Blizzard employing a password spray attack to infiltrate a legacy, non-production test tenant account lacking multi-factor authentication (MFA). Microsoft disclosed in late January that APT29 targeted other organizations, utilizing various initial access methods, from stolen credentials to supply chain attacks.
Midnight Blizzard, affiliated with Russia’s Foreign Intelligence Service (SVR), has been active since at least 2008 and is known for its sophistication, compromising high-profile targets like SolarWinds.