Russian hackers accessed Microsoft source code 

In January, Microsoft disclosed that Russian hackers had breached the company’s systems and managed to read emails belonging to senior executives. Now, the company has revealed that the breach was worse than initially understood and that the Russian hackers accessed Microsoft source code. 

Friday’s revelation — made in a blog post and a filing with the Securities and Exchange Commission — is the latest in a string of breaches affecting the company that have raised major questions in Washington about Microsoft’s security posture. The company’s filing with the SEC describes the incident as ongoing, stating that “the threat actor used and continues to use information it obtained to gain, or attempt to gain, unauthorized access to some of the Company’s source code repositories and internal systems.”

Microsoft has linked the attack to the hacking group it tracks as Midnight Blizzard but is more popularly known as Cozy Bear. The group is believed to be a unit of Russia’s foreign intelligence service SVR and one of the Kremlin’s most capable hacking units. 

The incident began in November, when the hackers in question gained access to what Microsoft has described as a “legacy non-production test tenant account” using a password spray attack —  a basic way of compromising a computing system that simple security hygiene would typically prevent.

The attacks then used that access to pivot into other company systems, including emails belonging to senior executives. Security experts say that how the attackers managed to move from a test system into what should be sections of Microsoft’s corporate systems that are highly protected — including source code and executives’ emails — represents a concerning and puzzling development. 

According to Microsoft’s most recent statement on the breach, the company appears to be engaged in an ongoing battle to either kick the hackers out of their systems or prevent them from breaching the company again. “Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so,” according to the firm’s blog post. 

It remains unclear what source code the attackers have accessed, but Microsoft says it does not believe “customer-facing systems have been compromised.”

The company is concerned, however, that “Midnight Blizzard is attempting to use secrets of different types it has found,” including in emails between customers and Microsoft. “As we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” the company said in its blog post. 

The company describes the incident as an example of “what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.” In response, the company has said it is increasing the resources and attention devoted to securing its systems.