Dive Brief:
- Microsoft has yet to thwart an ongoing attack from a Russia state-sponsored threat actor that intruded the tech company’s systems and stole data from senior-level executives in late November.
- Since Microsoft first disclosed the attack by Midnight Blizzard almost two months ago, “the company has determined that the threat actor used and continues to use information it obtained to gain, or attempt to gain, unauthorized access to some of the company’s source code repositories and internal systems,” Microsoft said Friday in a filing with the Securities and Exchange Commission.
- “To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised,” Microsoft said Friday in a blog post.
Dive Insight:
Midnight Blizzard’s persistence and, in some cases, expanding attack against Microsoft underscores the tech giant’s need to overhaul its internal security practices.
The state-sponsored actor “has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024,” Microsoft said in the blog post.
Microsoft's multi-pronged security revamp began in earnest in November, after government and industry lambasted the company for an attack in July that exposed emails of 25 of its customers, including the U.S. State Department. The Midnight Blizzard attack prompted Microsoft to take additional measures to address lapses in its internal security practices.
“We have increased our security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat,” Microsoft said in Friday’s SEC filing.
Midnight Blizzard, the state-sponsored actor also known as Nobelium, “is attempting to use secrets of different types it has found,” Microsoft said in the blog post. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
While multiple Microsoft customers have been impacted by the attack and its downstream effects, Hewlett Packard Enterprise remains the only major customer to come forward, linking a compromise of its cloud-based email system to Midnight Blizzard.
“The threat actor’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” Microsoft said. “Our active investigations of the threat actor’s activities are ongoing, findings of our investigations will continue to evolve, and further unauthorized access may occur.”
Microsoft said the attack has not had a material impact on its operations and it has yet to determine if the incident will materially impact its financial condition or results of operations.
