Microsoft confirms Russian spies stole source code, accessed internal systems – Source: go.theregister.com

Microsoft has now confirmed that the Russian cyberspies who broke into its executives’ email accounts stole source code and gained access to internal systems. The Redmond giant also characterized the intrusion as “ongoing.”

In an updated US SEC filing and companion security post, Microsoft provided more details about the security breach, which it first disclosed in January. 

At that time, Microsoft said Midnight Blizzard — the Kremlin-backed crew also known as Cozy Bear and APT29 that was behind the SolarWinds supply chain attack — snooped around in “a very small percentage of Microsoft corporate email accounts” and stole internal messages and files belonging to the leadership team, and cybersecurity and legal employees. 

“There is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” Redmond said in January.

That has since changed.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” according to the latest disclosure. “This has included access to some of the company’s source code repositories and internal systems.”

Microsoft maintains there’s “no evidence” so far that the Russian criminals compromised any customer-facing systems. But that’s not for lack of trying.

“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found,” the Windows titan admitted. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.” 

• Microsoft sheds some light on Russian email heist – and how to learn from Redmond’s mistakes
• What Microsoft’s latest email breach says about this IT security heavyweight
• Russia’s Cozy Bear dives into cloud environments with a new bag of tricks
• HPE joins the ‘our executive email was hacked by Russia’ club

It also sounds like this is not the last we’ll hear about the break-in, which started in November and used password spray attacks to compromise an internal account that did not have multi-factor authentication enabled.

The spies are still trying to access additional Microsoft accounts, and we’re told the volume of password sprays increased ten-fold in February compared to the volume of such attacks seen in January.

The silver lining, according to Microsoft’s updated SEC Form 8-K, is that the security snafu hasn’t had any financial impact on operations — yet. 

“Today’s 8-K filing from Microsoft creates more questions for customers and the industry than it answers,” Adam Meyers, counter adversary operations boss at CrowdStrike, noted to reporters.

Microsoft is a national security threat … this breach speaks to Azure’s broader authentication issues

“It reinforces the fact that Microsoft is a national security threat. We know that Microsoft has had many issues with Azure, and this breach speaks to Azure’s broader authentication issues.”

Meyers, who in January had choice words about the cloud giant soon after the email intrusion was disclosed, continued: “In the last year, Microsoft has been breached by China and Russia, the latter incident was enabled by sensitive Microsoft key material exfiltrated from within Microsoft sensitive systems.

“This latest disclosure introduces doubt that they have been able to evict Cozy Bear and it’s a reminder of the much deeper issues seemingly plaguing Azure’s authentication and security mechanisms.”

“In a year where 42 percent of the world’s population is electing new leadership, I am concerned with how the potential access to Microsoft’s sensitive data and AI models may be misused by hostile nation states,” he added, referring to the elections across the world coming up in 2024.

Redmond says its investigation is ongoing and promised to share updates.

“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” the security updated said. “It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.” ®