Russian hackers accessed Microsoft's corporate network for a month

[Alfonso Maruccia]

Facepalm: Even though they can now choose from a remarkably long list of attacks against corporate networks, cybercriminals often resort to "simpler" methods like brute-force password guessing. No one is safe from insecure email accounts, after all.

Microsoft recently detected a nation-state attack against its corporate email network, identifying the likely culprit as Midnight Blizzard. Also known as Apt29, Nobelium, and Cozy Bear, the infamous Russian cybercrime gang is well-known for being directly tied to the Kremlin's offensive intelligence activities against Microsoft and other major Western organizations.

The attack started in late November 2023, Microsoft revealed, when Midnight Blizzard employed a password spray attack to compromise a legacy, non-production test account. Password spraying is a quintessential brute-force attack where a cybercriminal tries to guess a known user's password from a list of common passwords. The attack is often automated and slowly occurring, as the threat actor tries to fly under the radar.

Once they gained a foothold in the "test" account, the Russian cybercriminals exploited its permissions to access a "very small" percentage of corporate accounts. Members of the company's senior leadership team, employees in cybersecurity, legal, and other departments were affected, and some emails and attached documents were exfiltrated.

The Russian hackers were ultimately interested in information regarding their own activities, Microsoft said. There was no evidence of the intruders potentially accessing customer environments, production systems, source code, or "AI systems." The company also reiterates that the attack wasn't the result of a vulnerability in its products or services, though it will notify customers if the need arises.

The attack highlights how dangerous Russian state actors (and Midnight Blizzard in particular) continue to be for all IT organizations. Microsoft informed the affected employees and denied the hackers "further access" into its networks. The company is also preparing some significant changes in how security matters are managed internally in line with the recently announced Secure Future Initiative (SFI).

Microsoft will employ "AI-based" cyberdefense mechanisms, and impose a stronger application of internal norms to legacy applications (and everything else) to try to avoid another Russian incursion in its systems. The Redmond giant says it wants to shift the balance between security and business risk, as the traditional approach is no longer sufficient against a quickly evolving landscape. Some level of disruption is expected but will be dealt with, Microsoft said.

Permalink to story.

https://www.techspot.com/news/101594-russian-hackers-accessed-microsoft-corporate-network-month.html

 

[bviktor]

There's been at least 4 violations against absolute baseline best practices:

- they didn't implement principle of least privilege
- they didn't have proper access rights reviews, since this was an old account for testing
- they used weak passwords
- they didn't have 2FA

This is inexcusable for ANY environment, let alone something this crucial. MS, get your act together.

 

[dangh]

There's been at least 4 violations against absolute baseline best practices:

- they didn't implement principle of least privilege
- they didn't have proper access rights reviews, since this was an old account for testing
- they used weak passwords
- they didn't have 2FA

This is inexcusable for ANY environment, let alone something this crucial. MS, get your act together.

While I agree with all the above, we need primarily focus on finding and identifying the real culprits. Not having my house closed, moated, triple gated is not any excuse for thieves to get in. There is only as much you can do to defend yourself - at some stage you simply have to cut the bandits who are trying to steal fruits of your hard work.

 

[Theinsanegamer]

While I agree with all the above, we need primarily focus on finding and identifying the real culprits. Not having my house closed, moated, triple gated is not any excuse for thieves to get in. There is only as much you can do to defend yourself - at some stage you simply have to cut the bandits who are trying to steal fruits of your hard work.

If you leave your house doors unlocked, your windows open, and light up a big neon sign that says "ROB ME", then you only have yourself to blame there. Being a large cloud based IT company is a very different reality from being a homeowner.

There's been at least 4 violations against absolute baseline best practices:

- they didn't implement principle of least privilege
- they didn't have proper access rights reviews, since this was an old account for testing
- they used weak passwords
- they didn't have 2FA

This is inexcusable for ANY environment, let alone something this crucial. MS, get your act together.

But dont worry, you should TOTALLY use a online MS account, its super secure! Why WOULDNT you want all of your data on Microsoft servers?

 

[TheBigT42]

You Keep Using That Word (brute-force), I Do Not Think It Means What You Think It Means

brute-force attack where a cybercriminal tries to guess a known user's password from a list of common passwords.

This is called a dictionary attack

 

[dangh]

If you leave your house doors unlocked, your windows open, and light up a big neon sign that says "ROB ME", then you only have yourself to blame there. Being a large cloud based IT company is a very different reality from being a homeowner.

I'd disagree. No normal, civilized citizen would enter other person property to take what is not his. It is like reserving a table in a cafe by leaving your phone on it. It works, in civilized and responsible societies.
The same with attacking women - too often I hear 'You should wear different clothes, cover your hair, blah blah, best to put a burka or it is your fault'. Don't put a blame on a victim.

And with my all negative feelings towards MS, this attack was prepared and constantly executed on many different angles for years till a weak spot was found. And yes, MS had some soft spots, but still we need to remember they were victim, and where is a victim, there is a culprit as well. This culprit have to be dealt with.

There is no 100% safety in the internet. That's why critical infrastructure is simply not connected to the internet.

 

[Theinsanegamer]

I'd disagree. No normal, civilized citizen would enter other person property to take what is not his. It is like reserving a table in a cafe by leaving your phone on it. It works, in civilized and responsible societies.
The same with attacking women - too often I hear 'You should wear different clothes, cover your hair, blah blah, best to put a burka or it is your fault'. Don't put a blame on a victim.

Ok, not every person on earth is a "normal, civilized person" who respects others. There are people out there that are outright bad people, who will steal, destroy ece. This is why door locks exist. The "civil, responsible" societies you are talking about still have door locks, and still have criminals.

It is not the responsibility of others to protect you. If you take no precautions in your life, bad things will happen to you sooner or later. This is why the 2nd amendment exists, BTW, because in a civilized country you should have the right to defend yourself.

And with my all negative feelings towards MS, this attack was prepared and constantly executed on many different angles for years till a weak spot was found. And yes, MS had some soft spots, but still we need to remember they were victim, and where is a victim, there is a culprit as well. This culprit have to be dealt with.

Again, MS did not take basic precautions. This attack didnt need years of preparation, it needed one guy to guess that MS used weak passwords and no 2FA. When you build an IT company, with resources connected to the internet in any capacity, you need to follow protocol. Those exist for a REASON. Simple 2FA and restricted access based on role would have prevented this. MS, BTW offers a 2FA service. MS's customers were far more secure them MS themselves.

There is no 100% safety in the internet. That's why critical infrastructure is simply not connected to the internet.

This is hilarious. It totally undermines your arguments up to this point, which can be summed up as "there is a victim, therefore nothing could have been done to prevent this because there was a culprit, dont victim blame", and NOW you admit things will never be 100% safe. If only there were basic security measures that could be used to mitigate these attacks. kinda like.... a door lock. Hmmmmm.....

 

[Dreadcthulhu]

While I agree with all the above, we need primarily focus on finding and identifying the real culprits. Not having my house closed, moated, triple gated is not any excuse for thieves to get in. There is only as much you can do to defend yourself - at some stage you simply have to cut the bandits who are trying to steal fruits of your hard work.

If you have a house on the border of Thief Land, a place where the local government does not care if their citizens cross the border to rob houses, and your own government is not willing to risk war with Thief Land to chase the criminals down, then yes you do need to have moats & triple gates on your property. And on the internet, every house is on the border of Thief Land.

 

[loki1944]

You Keep Using That Word (brute-force), I Do Not Think It Means What You Think It Means



This is called a dictionary attack

LOL

 

[loki1944]

I'd disagree. No normal, civilized citizen would enter other person property to take what is not his. It is like reserving a table in a cafe by leaving your phone on it. It works, in civilized and responsible societies.
The same with attacking women - too often I hear 'You should wear different clothes, cover your hair, blah blah, best to put a burka or it is your fault'. Don't put a blame on a victim.

And with my all negative feelings towards MS, this attack was prepared and constantly executed on many different angles for years till a weak spot was found. And yes, MS had some soft spots, but still we need to remember they were victim, and where is a victim, there is a culprit as well. This culprit have to be dealt with.

There is no 100% safety in the internet. That's why critical infrastructure is simply not connected to the internet.

Humanity has proven it is not civilized. I've been safer in some parts of the third world than in some of the worst parts in the US.

 

[raydpratt007]

This same story published at another site added the allegation that this Russian group was the same one that was identified as the source of the hack against the DNC (which revealed Hillary Clinton's and John Podesta's emails). That allegation was debunked by Julian Assange who strongly intimated that a DNC staffer, Seth Rich, was the source of the leak, which is the probable reason that Seth Rich was soon murdered. By attaching the 'Russian hack' story to this story elsewhere, the story loses credibility. I cannot be sure that it did not happen just as Microsoft says it happened, but it is at least possible that Microsoft is stirring up the pot to build anti-Russian support on behalf of the Democratic Party or the government in general.

 

[m4a4]

You Keep Using That Word (brute-force), I Do Not Think It Means What You Think It Means

This is called a dictionary attack

...A dictionary attack is a type of brute force attack...

 

[Godel]

While I agree with all the above, we need primarily focus on finding and identifying the real culprits. Not having my house closed, moated, triple gated is not any excuse for thieves to get in. There is only as much you can do to defend yourself - at some stage you simply have to cut the bandits who are trying to steal fruits of your hard work.

The culprits will all be in somewhere like Russia, Belarus, North Korea, Iran, China etc. So if you find them, what are you going to do about it?

 

[ZedRM]

There's been at least 4 violations against absolute baseline best practices:

That is your opinion, not factual statement.

- they didn't implement principle of least privilege
- they didn't have proper access rights reviews, since this was an old account for testing
- they used weak passwords
- they didn't have 2FA

Part of that is right. The first point isn't very important and would not have stopped the breach nor very much of the access. The last point is very much more annoyance than it is an actual security measure. It's also easily hacked/defeated.

The second point is correct. Locking out old accounts not in use or no longer authorized for access is a proper method of security.
The third point is also very much correct. Passwords of appropriate complexity and size are critical to security as well.

This is inexcusable for ANY environment, let alone something this crucial. MS, get your act together.

I hate to seem like I'm defending Microsoft, but you have no idea how those hackers got in. Those hackers are some of the best in the world and "standard" or even "enhanced" security practices likely wouldn't have held them back.

 

[JamesBlond]

Who is asking this question

If they know it was Russians, where is the evidence, accusing a nation because somebody spoofed an IP address or ran through 20 proxies does not prove it was a Russian, this would be called Psyop.
If it was China to make it look like it was Russian who was actually Brazilian living in Turkey you would not know.
International Agencies who say they know who it is, I call it "BS" Everyone is trying to make it look like the Russians are BAD... but how many times was the CEO of MS on Jefferey Epstein's Island, how many times was Bill Gates there, how many times was Malinda Gates there...

I think you will find a lot of Fake stories created to give a narative

 

[ZedRM]

Who is asking this question

If they know it was Russians, where is the evidence, accusing a nation because somebody spoofed an IP address or ran through 20 proxies does not prove it was a Russian, this would be called Psyop.
If it was China to make it look like it was Russian who was actually Brazilian living in Turkey you would not know.
International Agencies who say they know who it is, I call it "BS" Everyone is trying to make it look like the Russians are BAD... but how many times was the CEO of MS on Jefferey Epstein's Island, how many times was Bill Gates there, how many times was Malinda Gates there...

I think you will find a lot of Fake stories created to give a narative

You can't be serious with all that tin-hat $h!t! Microsoft might have a problem with certain parts of their security, but they are smart enough to know where an attack is coming from.

 

[zulu53]

While I agree with all the above, we need primarily focus on finding and identifying the real culprits. Not having my house closed, moated, triple gated is not any excuse for thieves to get in. There is only as much you can do to defend yourself - at some stage you simply have to cut the bandits who are trying to steal fruits of your hard work.

"One man's terrorist is another man's freedom fighter". The best form of security is to not have anything worth stealing and to make sure that everyone else has satisfactory amounts of what you do have for their own consumption - therefore no need to steal. But that it for some future Earth. In this case IP - why is MS software not open source? Its been asked of Microsoft since the very early days. Gates & Allen never answered this question, and neither did anyone else since then.

 

[zulu53]

I'd disagree. No normal, civilized citizen would enter other person property to take what is not his. It is like reserving a table in a cafe by leaving your phone on it. It works, in civilized and responsible societies.
The same with attacking women - too often I hear 'You should wear different clothes, cover your hair, blah blah, best to put a burka or it is your fault'. Don't put a blame on a victim.

And with my all negative feelings towards MS, this attack was prepared and constantly executed on many different angles for years till a weak spot was found. And yes, MS had some soft spots, but still we need to remember they were victim, and where is a victim, there is a culprit as well. This culprit have to be dealt with.

There is no 100% safety in the internet. That's why critical infrastructure is simply not connected to the internet.

Of course MS were the "victim of their own stupidity" which these hackers were pointing out. Why blame the messenger for the message they are giving you? Secrets are like lies - when you use them keep them very small in number and make them hard to detect (lock them away in your brain). Why was the information that hacked classed as secret? Probably it did not need to be at all: I certainly see no evidence that it did. If it was truly secret why was it outside of its box with a connection to the outside? I suspect that it was because it was not really secret, since no one but a truely stupid person would leave truly secret stuff lying around.

 

[JamesBlond]

"One man's terrorist is another man's freedom fighter". The best form of security is to not have anything worth stealing and to make sure that everyone else has satisfactory amounts of what you do have for their own consumption - therefore no need to steal. But that it for some future Earth. In this case IP - why is MS software not open source? Its been asked of Microsoft since the very early days. Gates & Allen never answered this question, and neither did anyone else since then.

Open source means they cannot spy on you, steal your data without somebody finding out ....no, they wants ABSOLUTE Control me finks

 

[zulu53]

Open source means they cannot spy on you, steal your data without somebody finding out ....no, they wants ABSOLUTE Control me finks

And the money and power it gives?

 

[zulu53]

While I agree with all the above, we need primarily focus on finding and identifying the real culprits. Not having my house closed, moated, triple gated is not any excuse for thieves to get in. There is only as much you can do to defend yourself - at some stage you simply have to cut the bandits who are trying to steal fruits of your hard work.

I am not sure why you think it is not hard work to steal and why your hard work is worth more than mine. If my only way to get fruit is to steal it from you by working harder than you then Darwin Law of Nature says I am right and will survive and you are wrong and will die - I am fitter than you. The laws of Nature are well above the laws of man.

 

[zulu53]

This same story published at another site added the allegation that this Russian group was the same one that was identified as the source of the hack against the DNC (which revealed Hillary Clinton's and John Podesta's emails). That allegation was debunked by Julian Assange who strongly intimated that a DNC staffer, Seth Rich, was the source of the leak, which is the probable reason that Seth Rich was soon murdered. By attaching the 'Russian hack' story to this story elsewhere, the story loses credibility. I cannot be sure that it did not happen just as Microsoft says it happened, but it is at least possible that Microsoft is stirring up the pot to build anti-Russian support on behalf of the Democratic Party or the government in general.

Its called "deflection propaganda" and has been used by MS from its earliest days. And I still don't understand why the media (including SimpleFlying) want to propagate it.

 

[zulu53]

Humanity has proven it is not civilized. I've been safer in some parts of the third world than in some of the worst parts in the US.

Well their are 6+ billion people in this world (most of whom live outside of the US); so it is way to broad a statement to be true. And how many people really follow the 10 Commandments even there.

 

[zulu53]

Everyone and his/her uncle know that the easiest way to get into a restricted network (like Microsoft's or the FAA or DoD etc. etc.) is to bribe/coerse an employee to open the door - no "hacking" required. All that "password"; 2FA etc. just serves to punish the honest while being a very limited barrier to penetration to smart people. Luckily most smart people see the costs of breaking the law vs the benefits of upholding the law and know that there are other far easier legal ways to make money. If a country (like the US) wanted to get into say a Russian network they would simply bribe an employee - since they are the wealthier nation. For vice/versa Russia might use more coercion since they are not as wealthy. In neither case would they use "hacking". This "hacking" was a poke in the eye for MS but we should not change it into a act of terrorism by over-reacting.

 

[TheBigT42]

...A dictionary attack is a type of brute force attack...

A true brute-force attack uses automated tools to guess all possible passwords until the correct input is identified.

A dictionary attack systematically enters every word in a dictionary / word file as a password until the correct input is identified.

A lot of web sites will group these together as the same type but they are completely different methods. The major difference is one generates password attempts on the fly and the other uses a file of predetermined words to try.