State-Backed Hackers Reportedly Breach Microsoft’s Email System

2 mins read

Microsoft revealed on Friday that state-backed Russian hackers infiltrated its corporate email system, gaining access to accounts of the company’s leadership team and employees in cybersecurity and legal roles. The intrusion, detected on January 12, began in late November and was attributed to the same Russian hacking team responsible for the SolarWinds breach.

The breach impacted a “very small percentage” of Microsoft corporate accounts, with some emails and attached documents being stolen. While Microsoft did not disclose the specific members affected, the company stated it is notifying employees whose email was accessed.

The hacking unit, known as Midnight Blizzard or Nobelium, used a “password spraying” technique, compromising credentials on a “legacy” test account with outdated code. Once access was gained, the hackers utilised the account’s permissions to breach senior leadership and other targeted accounts. Microsoft emphasised that the attack was not due to vulnerabilities in its products or services.

Microsoft was able to remove the hackers’ access from compromised accounts by January 13. The company’s investigation indicates that the hackers were initially targeting email accounts for information related to their activities.

This disclosure comes in compliance with a new U.S. Securities and Exchange Commission rule that requires publicly traded companies to disclose breaches potentially negatively impacting their business within four days, unless a national-security waiver is obtained. Microsoft stated in its SEC filing that, as of the filing date, the incident has not had a material impact on its operations, and the potential financial impact is yet to be determined.

The SVR foreign intelligence agency, responsible for the breach, is known for intelligence-gathering, primarily targeting governments, diplomats, think tanks, and IT service providers in the U.S. and Europe. Microsoft assures customers that, to date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.