Hackers working on behalf of Russia’s foreign intelligence service successfully penetrated a limited number of Microsoft corporate email accounts, stealing some emails and attached documents, the company announced Friday.
Microsoft detected the attack from a hacking unit tied to Russia’s External Intelligence Service (SVR) on Jan. 12 “and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access,” the company said in a Securities and Exchange Commission filing.
The attackers used a password spray attack — a process where multiple user names are tried against a constant password for a given account — to compromise a “legacy, non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft’s corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.”
The company’s investigation suggests the attackers were “initially” targeting email accounts for information related to themselves. “The attack was not the result of a vulnerability in Microsoft products or services,” the company added. “To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.”
This is the second time in the past six months that Microsoft has disclosed an embarrassing attack by state-aligned hackers. In July, the company announced that a Chinese-linked operation had successfully obtained an internal consumer signing key and used that to obtain access to email accounts connected with U.S. government officials.
The SVR hacking unit that attacked Microsoft — tracked by Microsoft as Midnight Blizzard, but also as Nobelium, APT29, or Cozy Bear — was behind the attack on SolarWinds, first announced in 2020, which gave the hackers access to a variety of U.S. government agencies, along with hundreds of other victims, the White House said in April 2021.
The group was also involved with the hack of the Democratic National Committee leading up to the 2016 U.S. elections, playing a key role in the sweeping Russian election interference operation.