After disclosing a cyberattack carried out by Russian government spies targeting Microsoft, the company now reveals that the same group, identified as Midnight Blizzard or APT29/Cozy Bear, has also targeted other organizations. Microsoft detected the intrusion on January 12 and notified additional targeted organizations as part of its usual processes. The hackers employed a password spray attack, evading detection with a tailored approach focused on specific accounts. The espionage campaign, initiated in late November, aimed at stealing sensitive information, particularly from senior executives and cybersecurity personnel.
Broader Targeting: Microsoft discloses that the Russian-backed hackers behind the breach also targeted other organizations beyond Microsoft. The extent of the campaign and the number of affected organizations remain unclear.
Midnight Blizzard Group: The hackers, known as Midnight Blizzard or APT29/Cozy Bear, are believed to be affiliated with Russia’s Foreign Intelligence Service (SVR). Microsoft identified the group as responsible for the cyberattack.
Password Spray Attack: The hackers initiated the breach using a password spray attack on a legacy system lacking multi-factor authentication. The approach involved using a limited number of attempts tailored to specific accounts, reducing the likelihood of detection.
Targeted Email Accounts: Once access was gained, the hackers specifically targeted senior executives, cybersecurity professionals, and individuals from legal and other departments. The attackers accessed a small percentage of Microsoft corporate email accounts, stealing emails and attached documents.
Interest in Own Information: Microsoft notes that the hackers displayed an interest in finding information about themselves, attempting to understand what Microsoft knows about them.
Hewlett Packard Enterprise (HPE) Breach: HPE, using Microsoft-hosted email systems, discloses that Midnight Blizzard breached its email system. The hackers accessed and exfiltrated data from a limited number of HPE mailboxes starting in May 2023. The breach is distinct from Microsoft’s incident.
The revelation that Russian-backed hackers targeted multiple organizations, including Microsoft and HPE, underscores the sophistication and broader scope of the espionage campaign. Microsoft’s ongoing investigations aim to assess the full impact of the breach, shedding light on the hackers’ motives and the information they sought from the compromised accounts.