Microsoft has said it continues to remove elite Russian government hackers who infiltrated the email accounts of senior company executives in November.
The hackers have been attempting to breach customer networks using stolen access data, according to the company.
"This blog provides an update on the nation-state attack that was detected by the Microsoft Security Team on January 12, 2024. As we shared, on January 19, the security team detected this attack on our corporate email systems and immediately activated our response process," the company wrote in a blog post.
It added, "The Microsoft Threat Intelligence investigation identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM."
Microsoft had on Friday said the hackers obtained "secrets" from email exchanges between the company and undisclosed customers—these included cryptographic secrets like passwords, certificates, and authentication keys.
Microsoft also said that it was still contacting affected customers to help them implement protective measures, reported AP News.
Microsoft revealed that hackers from Russia's SVR (foreign intelligence service) used data from the intrusion disclosed in mid-January to compromise source-code repositories and internal systems. Hewlett Packard, a cloud computing company, also disclosed on January 24 that it was a victim of SVR hacking.
"The threat actor’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus," the Windows-maker said.
Cybersecurity experts warned that Microsoft's acknowledgment of the ongoing SVR hack reveals the risks associated with heavy dependence on the company's software and the interconnectedness of its global cloud network among government and business entities.
According to AP, Tom Kellermann from the cybersecurity firm Contrast Security said the development had tremendous national security implications. "The Russians can now leverage supply chain attacks against Microsoft’s customers."
Microsoft said it hasn't determined if the incident will significantly affect its finances. The company also highlighted that the persistence of the intrusion reflects a broader, unprecedented global threat landscape, particularly regarding advanced nation-state attacks.
When Microsoft first revealed the hack, it said that the SVR unit infiltrated its corporate email system, accessing accounts of certain senior executives, as well as employees from its cybersecurity and legal departments.
The company did not reveal the exact number of compromised accounts.
Microsoft claimed to have revoked the hackers' access from the compromised accounts around January 13. However, by that time, the hackers had already established a presence.
Microsoft said that the intrusion occurred by compromising credentials on a "legacy" test account but did not provide further details.
"Across Microsoft, we have increased our security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat. We have and will continue to put in place additional enhanced security controls, detections, and monitoring," the company said in an attempt to assuage customers.
Comments