Saturday, March 9th 2024
Microsoft Reveals Cyberattack & Theft of Internal Source Code
We have provided an update on the nation-state attack that was detected by the Microsoft Security Team on January 12, 2024. As we shared, on January 19, the security team detected this attack on our corporate email systems and immediately activated our response process. The Microsoft Threat Intelligence investigation identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM. As we said at that time, our investigation was ongoing, and we would provide additional details as appropriate.
In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised. It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.
Midnight Blizzard's ongoing attack is characterized by a sustained, significant commitment of the threat actor's resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.
Across Microsoft, we have increased our security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat. We have and will continue to put in place additional enhanced security controls, detections, and monitoring.
Our active investigations of Midnight Blizzard activities are ongoing, and findings of our investigations will continue to evolve. We remain committed to sharing what we learn.
Sources:
Microsoft Security Team Blog #1, Microsoft Security Team Blog #2, The Verge, CNBC
In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised. It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.
Across Microsoft, we have increased our security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat. We have and will continue to put in place additional enhanced security controls, detections, and monitoring.
Our active investigations of Midnight Blizzard activities are ongoing, and findings of our investigations will continue to evolve. We remain committed to sharing what we learn.
16 Comments on Microsoft Reveals Cyberattack & Theft of Internal Source Code
Internal passwordless world hehe
It like some kind of modern day version of Game of Thrones. Kinda cool in a demented way.
But yeah... Russian attack sounds more plausible. The truth usually lies somewhere in between.
But regarding the hacks, every powerful nation state is actively doing this to each other. USA, China and Russia are just big enough and good enough that it's noticeable.
Even my university IT staff talk about the constant attempted hacks 24/7 from China and other sources.
Maybe they should focus more on security than AI pumping?
The same procedures are used for other old items like Greek pottery, jewelry, paintings, drawings, textiles, etc. They are more worried about damage to the physical object by careless or poor handling from your greasy hands or you spilling a soda all over a priceless manuscript.
In fact, many of these priceless artifacts get digitally archived as a precaution against further damage to the original object. This is particularly important for books because a museum can't put a book on display and show all of its pages.
For something like precious source code, there are multiple copies. That's what backups are for. You can make a copy of the Magna Carta but the copy doesn't have the same value as the original. For digital data, it's all pretty much equivalent.
Let's say you have your grandfather's wristwatch and it gets destroyed in an accident. You find the same exact model on FleaBay. Would you buy it as a replacement? It's no longer the item that your grandfather actually used. It just looks the same.
Anyhow, it goes well beyond the loss of source code. It's about losing trust. Even if they can identify and eventually nail the perpetrators, they have lost trust and goodwill from customers. And not just Joe Consumer or Xbox Gamer Guy, it also includes corporate customers of Azure.
Even if you don't use OneDrive, you probably use some service that is running on Azure. Can't get away from the cloud anymore even if you disconnect your PC from the Internet and throw away your smartphone. Your bank, hospital, insurance company, airline, public transit system, etc. are all online.Yeah, until you run out of money or public support.
The latter happened to the USA in Vietnam.
Yes, you can defeat anything. But at what cost? Is it always worth it?
With cyberattacks, a very small organization can topple a massive one. It's a little different than the physical warfare that Patton was commenting about. Look at Kevin Mitnick.
I can't buy a DJI drone and defeat the British Navy. However a hacker could by a $500 laptop and infiltrate Microsoft.