Microsoft revealed last week that it had discovered a nation-state attack on its corporate systems from the Russian state-sponsored hackers that were behind the SolarWinds attack. Hackers were able to access the email accounts of some members of Microsoft’s senior leadership team — potentially spying on them for weeks or months.
While Microsoft didn’t provide many details on how the attackers gained access in its initial SEC disclosure late on Friday, the software maker has now published an initial analysis of how the hackers got past its security. It’s also warning that the same hacking group, known as Nobelium or as the “Midnight Blizzard” weather-themed moniker Microsoft refers to them, has been targeting other organizations.
Nobelium initially accessed Microsoft’s systems through a password spray attack. This type of attack is a brute force one that sees hackers use a dictionary of potential passwords against accounts. Crucially, the non-production test tenant account that was breached didn’t have two-factor authentication enabled. Nobelium “tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection,” says Microsoft.
From this attack, the group “leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment.” OAuth is a widely used open standard for token-based authentication. It’s commonly used across the web to allow you to sign into applications and services without having to provide a website with your password. Think of websites you might sign into with your Gmail account, that’s OAuth in action.
This elevated access allowed the group to create more malicious OAuth applications and create accounts to access Microsoft’s corporate environment and eventually its Office 365 Exchange Online service that provides access to email inboxes.
“Midnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts,” explains Microsoft’s security team.
Microsoft hasn’t disclosed how many of its corporate email accounts were targeted and accessed, but the company previously described it as “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.”
Microsoft also still hasn’t disclosed an exact timeline of how long hackers were spying on its senior leadership team and other employees. The initial attack took place in late November 2023, but Microsoft only discovered it on January 12th. That could mean the attackers were spying on Microsoft executives for nearly two months.
Hewlett Packard Enterprise (HPE) revealed earlier this week that the same group of hackers had previously gained access to its “cloud-based email environment.” HPE didn’t name the provider, but the company did reveal the incident was “likely related” to the “exfiltration of a limited number of [Microsoft] SharePoint files as early as May 2023.”
The attack on Microsoft took place just days after the company announced its plan to overhaul its software security following major Azure cloud attacks. It’s the latest cybersecurity incident to hit Microsoft, after 30,000 organizations’ email servers were hacked in 2021 due to a Microsoft Exchange Server flaw, and Chinese hackers breached US government emails via a Microsoft cloud exploit last year. Microsoft was also at the center of the giant SolarWinds attack nearly three years ago, which was carried out by the same Nobelium group behind this embarrassing executive email attack.
Microsoft’s admission of a lack of two-factor authentication on what was clearly a key test account will likely raise eyebrows in the cybersecurity community. While this wasn’t a Microsoft software vulnerability, it was a set of poorly configured test environments that allowed the hackers to quietly move across Microsoft’s corporate network. “How does a non-production test environment lead to the compromise of the most senior officials in Microsoft?” asked CrowdStrike CEO George Kurtz in an interview with CNBC earlier this week. “I think there’s a lot more that’s going to come out on this.”
Kurtz was right, more has come out, but there are still some key details missing. Microsoft does claim that if this same non-production test environment was deployed today then “mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled” to better protect against these attacks. Microsoft still has plenty more explaining to do, especially if it wants its customers to believe it’s truly improving the way it designs, builds, tests, and operates its software and services to better protect against security threats.