| By Loc Le |

The Microsoft Security Response Center published a blog post stating that the company experienced a cyberattack on January 12, 2024 perpetrated by the Russian-state-sponsored hacker group known as Midnight Blizzard. According to the post, which was released on January 19, 2024, the hack began unfolding in late November 2023 when the hackers “used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold” to access emails and documents from senior leaders at the company as well as employees within the cybersecurity and legal departments. Based on the findings from the investigation launched by the company’s security team, it appears that the hacker group breached the company intending to find out what information Microsoft had on their operations. 

Midnight Blizzard: A Track Record of Hacking

The notorious hacking group Midnight Blizzard, which has also been known as Nobelium, BlueBravo, Cozy Bear, and APT29, was the same group of hackers who were responsible for the 2020 cyberattack on the US information technology firm SolarWinds. Considered one of the largest cyberattacks in history, the SolarWinds incident affected over 18,000 individuals within numerous government institutions and agencies as well as private corporations, including Microsoft. Fortunately for Microsoft this time, Midnight Blizzard’s most recent hack was not nearly as advanced and only affected “a very small percentage” of the company’s corporate email accounts. In its blog post, the company stated that “to date, there is no evidence that the threat actor had any access to customer environments, production systems, source code or AI systems.” Despite the relatively minimal scale of the cyberattack, Microsoft has not taken the situation lightly and has already taken action to legally disclose and disrupt the malicious activity. 

SEC Mandates Cyberattack Disclosures

Following the SEC’s newly implemented mandate that requires publicly-owned companies to promptly disclose hacks upon discovery, Microsoft said in its filing that it was “able to remove the threat actor’s access to the email accounts on or about January 13, 2024.” Furthermore, the company has also stated that Microsoft-owned legacy systems and internal business processes will be immediately updated to follow the company’s current security standards. While the updates may result in disruptions throughout existing business processes, Microsoft has asserted that they are necessary and that it is only the first of several changes that the company is taking.

Microsoft has also taken the opportunity to emphasize how the attack highlights the continual risk organizations face from well-resourced and nation-state-supported threat actors such as Midnight Blizzard. Given the legitimate threat of such risks, Microsoft is using the incident as an urgent indication to accelerate the balancing of the needs between the security and business risks as previously mentioned in the company’s Secure Future Initiative. 

State-Sponsored Cybercrime Persists

The Secure Future Initiative, which was announced last year as a plan to strengthen the company’s cybersecurity efforts, came into fruition as a response to another cyberattack Microsoft experienced in May 2023 when Chinese-state-sponsored hackers exploited a vulnerability in Microsoft’s email platform to steal hundreds of thousands of emails from senior officials at the U.S. State and Commerce departments. Although Midnight Blizzard’s “attack was not the result of a vulnerability in Microsoft products or services,” experts such as Deepak Kumar still believe that Microsoft did not do enough to prevent the incident.

Kumar, the founder analyst and chief research officer at BMNxt Business and Market Advisory, has insinuated that a “weak link in the security chain” may have been a major contributing factor in the compromising of the employee emails as “best practices, such as zero-trust security, are not necessarily being applied to email accounts of senior leadership.” According to another expert Omri Weinberg, co-founder of DoControl, this incident should serve as an important lesson for cybersecurity teams to not “overlook sensitive information contained in less critical systems like email and file sharing.”

Increased Threats Require Increased Vigilance

As the rate of cyberattacks around the world continues significantly increasing, it is paramount for Microsoft, as well as other technology companies, to implement and fortify effective cybersecurity practices that cover all aspects throughout their business operations, even the parts that may be considered insignificant.