Russian hackers behind Solarwinds breach accessed emails of senior Microsoft leaders
Russia’s Foreign Intelligence Service (SVR) allegedly hacked into the email accounts of senior leaders at Microsoft, the company said late last week.
In a Friday afternoon statement, Microsoft said it detected a nation-state attack on their corporate systems on January 12 and began an investigation that uncovered a long-running campaign by the prolific hacking group Nobelium — which some researchers refer to as Midnight Blizzard, BlueBravo, and APT29 and believe to be run by the Russian organization responsible for foreign espionage, active measures, and electronic surveillance.
“Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” the company said.
“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.”
A Microsoft spokesperson declined to answer questions about how hackers were able to pivot from non-production test accounts into one’s used by senior leaders of the company, only telling Recorded Future News that “there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.”
The spokesperson reiterated that their investigation found no vulnerabilities in their products or services. The company reported the incident to the SEC on Friday and said it was able to “remove the threat actor’s access to the email accounts on or about January 13, 2024.”
“The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations,” Microsoft told the SEC.
The spokesperson also did not respond to questions about the second half of the statement released by Microsoft on Friday — which focused on the company’s desire to apply their “current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”
The company claimed the Nobelium incident “highlighted the urgent need to move even faster” in shifting the balance they “need to strike between security and business risk.”
It is unclear what this is in reference to, but the blog links to a November post from Microsoft about Secure Future Initiative, an effort to better secure their software development practices and more.
Microsoft warned on Friday that whatever shift they plan to begin will “likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy.”
“We are continuing our investigation and will take additional actions based on the outcomes of this investigation and will continue working with law enforcement and appropriate regulators,” they said.
Secure Future Initiative was started in response to another headline-grabbing nation-state attack that took place last May, when Chinese hackers exploited issues with Microsoft systems to access the email accounts of U.S. Commerce Secretary Gina Raimondo and other U.S. government officials.
Nobelium is well known for its 2020 attack on tech company SolarWinds, which gave it widespread access to several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, State Department and other parts of the U.S. government.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.