The Russian state-sponsored attackers who breached the corporate email accounts of several senior Microsoft employees and security team members in November have been using information stolen from those mailboxes to access internal systems. Some of the emails also included secrets that Microsoft exchanged with customers and which could potentially be used in further attacks, the company warns.
“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” the company said in an update on its investigation Friday. “This has included access to some of the companyâs source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”
Midnight Blizzard is Microsoft’s designation for a group also known in the security industry as Nobelium or APT29 and which according to the US and UK intelligence agencies, is part of Russiaâs Foreign Intelligence Service, the SVR. APT29 has been responsible for many high-profile attacks over the years, including the 2021 supply chain compromise involving SolarWinds that impacted thousands of organizations and government agencies.
In January, Microsoft announced that the group managed to gain access to a legacy test tenant account on its infrastructure using a password spraying attack. This is a technique where attackers attempt to access an account using a list of passwords compromised in other breaches. In this case the attackers limited the number of attempts and the time between them to evade detection and automatic rate limiting.
The test account did not have multifactor authentication turned on and had access to an OAuth application that had further elevated access to Microsoft’s corporate environment. The attackers then created their own OAuth applications and used the compromised account to give them the full_access_as_app role to the company’s Office 365 Exchange Online. This role provides full access to mailboxes.
The attack happened in November, but Microsoft detected it on January 12, so the attackers had access to Microsoft’s corporate email system for over a month. During this time, they accessed the mailboxes of employees working in leadership, cybersecurity, and legal positions, including employees who were investigating the APT group itself.
“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found,” Microsoft said in the new update. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
Russian APT group trying to leverage secrets stolen from Microsoft emails
According to the company’s telemetry, Midnight Blizzard has increased the volume of its password spray and other attacks tenfold last month compared to January which might be an indication that it’s trying to capitalize on the stolen information. This group has the resources and commitment to launch sophisticated and targeted attacks and the information stolen from Microsoft’s emails could help in its reconnaissance efforts to discover new areas, systems and accounts to attack.
Midnight Blizzard has already demonstrated its ability to launch supply chain attacks and exploit business relationships and shared access between organizations, a technique known as island hopping. Organizations should make sure to apply the principles of least privilege to all their accounts, enable MFA and disable legacy accounts that have been unused for an extended period.