Earlier this year, tech titan Microsoft revealed that it was facing cyber attacks by Russia-linked hacking group, Midnight Blizzard. Now, in a new blog post, the company disclosed a renewed effort by the same suspected Russian hacking group, Midnight Blizzard (also known as Nobelium, Cozy Bear, and APT29), to infiltrate its systems. This ongoing attack follows the earlier incident in January 2024, where the group gained access to sensitive corporate emails, including those of senior leadership.
Not that this is the first time Russia has been accused of cyberattacks – several similar accusations have been levied regarding cyberattacks against Western countries and companies during Russia’s war on Ukraine.
Microsoft disclosed on Friday that Midnight Blizzard has expanded its targets to include the company’s source code repositories and internal systems. Currently, Midnight Blizzard is now exploiting the stolen email data to launch further attacks, attempting unauthorized access to Microsoft’s internal systems and, more critically, its source code repositories. Microsoft hasn’t confirmed any source code theft (yet). “In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised,” Microsoft noted in its blog post.
Speaking more about the group, Midnight Blizzard, also known as Nobelium, Cozy Bear, and APT29, is a suspected Russian hacking group believed to be affiliated with the Foreign Intelligence Service (SVR). and has a history of high-profile attacks. They were implicated in the 2016 Democratic National Committee breach and the 2020 SolarWinds hack, which compromised several US government agencies.
The hacking group has reportedly become more aggressive in its approach. Their reliance on “password spraying” – a brute-force technique attempting multiple passwords on various accounts – has increased tenfold compared to January’s attack. Additionally, they are leveraging stolen secrets, potentially including login credentials shared between Microsoft and its customers, to gain unauthorized access. Despite the renewed attack, Microsoft assures that no evidence suggests a compromise of their customer-facing systems. For its part, the company has taken steps to bolster its security posture, implementing enhanced controls, detections, and monitoring measures. They are actively investigating the ongoing campaign and vow to share their findings as the situation evolves.