Russian hackers breached Microsoft customer support to try phishing targets in 36 countries

State-sponsored Russian hackers compromised a Microsoft customer support representative’s account, leveraging that access to try to hack other customers, the company said.

The cyber-espionage group that Microsoft calls Nobelium — also known as APT 29 and Cozy Bear — obtained “basic account information” about a limited number of customers as part of the effort. The same group is the primary suspect in the data breach at federal contractor SolarWinds, a hack in which spies also breached nine U.S. federal agencies and scores of technology companies.

“This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised — we are aware of three compromised entities to date,” said the Microsoft blog post. “All customers that were compromised or targeted are being contacted through our state-notification process.”

The apparent Russian hackers used information-stealing malware to infect a customer support machine, then used data found on that device to target IT companies, government agencies and non-government organizations and think tanks. Targets were located in 36 countries.

In an email to customers, Microsoft advised that attackers may have accessed information about support cases, subscription account metadata and billing information. Security personnel observed activity in affected organizations as early as May 17, according to the email. The company detected no further activity after May 31.

Cozy Bear is the same hacking group behind a phishing campaign in which attackers impersonated the U.S. Agency for International Development, a government agency that funds development programs around the world, to try infiltrating 150 organizations in 24 countries, Microsoft said in May.

Sean Lyngaas contributed reporting.