On Friday, Microsoft revealed that it had been hacked by Russian government spies. Now, a week later, the tech giant said it wasn’t the only target of the spying operation.
In a new blog postMicrosoft said that “the same agent is targeting other organizations, and as part of our normal notification processes, we have begun notifying those targeted organizations.”
At this point, it’s unclear how many organizations the Russian-backed hackers targeted.
Contact us
Do you have more information about this hack? We would love to hear from you. From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or email at lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
When asked by TechCrunch to provide a specific number of victims it has notified so far, a Microsoft representative declined to comment.
Microsoft identified the hackers as the group calling Midnight Blizzard. This group is widely believed to be working for Russia’s Foreign Intelligence Service, or SVR. Other security companies call the group APT29 and Cozy Bear.
Microsoft said it detected the intrusion on January 12 and then determined that the hacking campaign began in late November, when hackers used a “password spray attack” on a legacy system that did not have multi-factor authentication enabled. Password spraying is when hackers they try to force access to accounts using commonly used passwords or a longer list of passwords from previous data breaches.
“The actor tailored password spray attacks to a limited number of accounts, using a small number of attempts to avoid detection and avoid banning accounts based on the volume of failures,” Microsoft wrote in its latest blog post. “The threat actor further reduced the likelihood of discovery by launching these attacks from a distributed proxy home infrastructure. These evasion techniques helped ensure that the actor blocked his activity and could persist with the attack over time until he succeeded.”
Once Russian-backed hackers gained access to an account on that legacy system, they “used the account’s privileges to gain access to a very small percentage of Microsoft corporate email accounts,” according to Microsoft, which has not yet to specify how many email accounts were compromised.
Microsoft, however, said the hackers specifically targeted the company’s senior executives, as well as people working in cybersecurity, legal and other departments. The hackers managed to steal “some emails and attached documents”.
Curiously, the hackers were interested in learning information about themselves, specifically what Microsoft knows about them, the company said.
On Thursday, Hewlett Packard Enterprise (HPE) revealed that its Microsoft-hosted email system was breached by Midnight Blizzard. HPE said it was made aware of the breach — without saying by whom — on Dec. 12. The company said that according to its own research, hackers “accessed and exfiltrated data” from a “small percentage” of HPE mailboxes starting in May 2023.
It’s unclear how, or if, this breach is connected to the hackers’ espionage campaign targeting Microsoft, as HPE said its incident was linked to an earlier breach where the same hackers infiltrated a “limited number of SharePoint files” from its network .
“We don’t have details about the incident that Microsoft experienced and disclosed last week, so we can’t connect the two at this time,” HPE spokesman Adam R. Bauer told TechCrunch.
It was updated with Microsoft declining to comment.
