Microsoft Says Senior Executives Hacked By Russian Group

The tech giant says that emails were stolen from ‘members of our senior leadership team and employees in our cybersecurity, legal, and other functions.’

Microsoft disclosed Friday that a Russia-aligned threat actor was able to steal emails from members of its senior leadership team as well as from employees on its cybersecurity and legal teams.

The tech giant attributed the attack to a group it tracks as Midnight Blizzard, and previously tracked as Nobelium, which Microsoft has held responsible for the widely felt 2020 breach of SolarWinds.

The names of Microsoft executives whose accounts were impacted were not disclosed.

In a post Friday, Microsoft said that the incident began with a late November 2023 password spray attack, which compromised a “legacy non-production test tenant account.”

Attackers then used the compromised account’s permissions to “access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” Microsoft said.

“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” the company said.

Microsoft said that its security team uncovered the compromise after detecting “a nation-state attack on our corporate systems on January 12, 2024.”

The detection led the security team to activate its response process “to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access,” Microsoft said. “Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium.”

In statement provided to CRN Friday, Microsoft said that “to date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.”

“The attack was not the result of a vulnerability in Microsoft products or services,” the company added in the statement.

Investigation Is Continuing

In a filing with the U.S. Securities and Exchange Commission Friday, Microsoft said the attacker’s access to Microsoft executive and staff email accounts was removed “on or about January 13.”

“We are examining the information accessed to determine the impact of the incident,” Microsoft said in the filing. “We also continue to investigate the extent of the incident.”

As of Friday, Microsoft has “not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations,” Microsoft said in the SEC filing.

2023 Cloud Email Breach

The incident follows last year’s high-profile breach of Microsoft cloud email accounts belonging to multiple U.S. government agencies.

Discovered in June 2023, the attack is believed to have impacted the emails of Commerce Secretary Gina Raimondo as well as U.S. Ambassador to China Nicholas Burns and officials in the Commerce Department. A total of 60,000 emails were stolen from 10 U.S. State Department accounts in the compromise, according to reports.

The incident prompted U.S. Sen. Ron Wyden to request a federal investigation to determine “whether lax security practices by Microsoft” led to the hack, and also led to criticism from numerous prominent executives within the security industry.

In September, Microsoft disclosed that a number of issues enabled the China-linked threat actor — tracked as “Storm-0558” — to compromise the cloud email accounts of U.S. officials. Those included a flaw that caused an Azure Active Directory key used in the compromise to be improperly captured and stored in a file following a Windows system crash in 2021. Another flaw led to the presence of the key not being detected, Microsoft said.

Additionally, the threat actor behind the breach was only able to access the file containing the key through compromising a corporate account belonging to a Microsoft engineer, according to the company.