Midnight Blizzard Accesses Microsoft Internal Systems and Source Code

Microsoft has confirmed a new, significant intrusion by the persistent Russia-based hacking group Midnight Blizzard (NOBELIUM). The threat actors leveraged information exfiltrated during a January cyberattack to gain recent, unauthorized access to Microsoft’s internal network, including source code repositories.

Microsoft traced the breach back to a January cyberattack where Midnight Blizzard leveraged a common but dangerous method – a password spray attack. This technique bombards accounts with potential passwords until one combination works. In this case, a legacy non-production test account fell victim. Shockingly, this account lacked a crucial layer of security: multi-factor authentication (MFA). With this initial foothold, the threat actors escalated their access to an OAuth application that held permissions within the corporate environment. The result? Access to sensitive emails belonging to Microsoft’s leadership and personnel focused on cybersecurity and legal matters.

Microsoft believes Midnight Blizzard’s primary goal in accessing this trove of emails was to learn precisely what Microsoft knew about the group and its operations.

The situation has intensified over recent weeks. Using information mined from the stolen data, Midnight Blizzard gained access to Microsoft’s internal systems, including sensitive source code repositories. The company says it’s found no evidence of customer-facing services being compromised, but the situation remains fluid.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised,” Microsoft Security Response Center wrote.

Microsoft warns that Midnight Blizzard is actively attempting to leverage any secrets shared between Microsoft and its customers in past emails. The company is taking steps to notify and assist affected customers. Worryingly, February saw a tenfold increase in password spray attacks compared to January as Midnight Blizzard ramps up their activity.

This ongoing campaign showcases Midnight Blizzard’s determination, sophistication, and resourcefulness. They likely intend to use this intrusion to map Microsoft’s internal defenses, laying the groundwork for additional, potentially more damaging actions.

Microsoft is mobilizing to counter the assault, with increased security investments and cross-company coordination. Ongoing investigations and their results will further inform and enhance their defensive posture.