Russian hackers accessed Microsoft's corporate network for a month

Facepalm: Even though they can now choose from a remarkably long list of attacks against corporate networks, cybercriminals often resort to "simpler" methods like brute-force password guessing. No one is safe from insecure email accounts, after all.

Microsoft recently detected a nation-state attack against its corporate email network, identifying the likely culprit as Midnight Blizzard. Also known as Apt29, Nobelium, and Cozy Bear, the infamous Russian cybercrime gang is well-known for being directly tied to the Kremlin's offensive intelligence activities against Microsoft and other major Western organizations.

The attack started in late November 2023, Microsoft revealed, when Midnight Blizzard employed a password spray attack to compromise a legacy, non-production test account. Password spraying is a quintessential brute-force attack where a cybercriminal tries to guess a known user's password from a list of common passwords. The attack is often automated and slowly occurring, as the threat actor tries to fly under the radar.

Once they gained a foothold in the "test" account, the Russian cybercriminals exploited its permissions to access a "very small" percentage of corporate accounts. Members of the company's senior leadership team, employees in cybersecurity, legal, and other departments were affected, and some emails and attached documents were exfiltrated.

The Russian hackers were ultimately interested in information regarding their own activities, Microsoft said. There was no evidence of the intruders potentially accessing customer environments, production systems, source code, or "AI systems." The company also reiterates that the attack wasn't the result of a vulnerability in its products or services, though it will notify customers if the need arises.

The attack highlights how dangerous Russian state actors (and Midnight Blizzard in particular) continue to be for all IT organizations. Microsoft informed the affected employees and denied the hackers "further access" into its networks. The company is also preparing some significant changes in how security matters are managed internally in line with the recently announced Secure Future Initiative (SFI).

Microsoft will employ "AI-based" cyberdefense mechanisms, and impose a stronger application of internal norms to legacy applications (and everything else) to try to avoid another Russian incursion in its systems. The Redmond giant says it wants to shift the balance between security and business risk, as the traditional approach is no longer sufficient against a quickly evolving landscape. Some level of disruption is expected but will be dealt with, Microsoft said.