Microsoft Executive Emails Hacked by Russian-Backed Group, Company Says
Microsoft Executive Emails Hacked by Russian-Backed Group, Company Says

By Jane Nguyen

Microsoft said on Friday that Russian hackers gained access to its corporate systems and stole some emails and documents belonging to the company’s senior executives.

The tech company said in a blog post that its security team detected the intrusion on Jan. 12 and quickly shut it down. The group responsible for the attack was identified as Midnight Blizzard, “the Russian state-sponsored actor also known as Nobelium.”

It is the same Russian hacking team behind the SolarWinds breach, the company said.

In late November, the group allegedly used a “password spray attack” to breach a Microsoft platform, according to the company. Hackers use this technique to infiltrate a company’s systems by using the same compromised password against multiple related accounts.

“A very small percentage” of Microsoft corporate accounts were accessed, the company said.

In a regulatory filing on Friday, Microsoft said it was able to remove the hackers’ access from the compromised accounts on or about Jan. 13.

The Redmond, Washington-based company said that it is in the process of notifying employees whose email was accessed, adding that its investigation indicates the hackers were initially targeting email accounts for information related to their activities.

“As of the date of this filing, the incident has not had a material impact” on company operations, Microsoft said in the regulatory filing. It added that it has not, however, “determined whether the incident is reasonably likely to materially impact” its finances.

The company said the investigation is ongoing and it will continue working with law enforcement and appropriate regulators, pledging to share more information with the public as it becomes available.

“The attack was not the result of a vulnerability in Microsoft products or services,” the company said in the blog.

“To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.”

SEC Reporting Mandate

Microsoft’s disclosure follows a new regulatory requirement implemented by the U.S. Securities and Exchange Commission that mandates publicly traded companies to disclose breaches that could negatively impact their business. It gives them four business days to file a report disclosing the time, scope, and nature of the breach to the government, unless they obtain a nation-security waiver.

Microsoft said the hackers from Russia’s SVR foreign intelligence agency were able to gain access by compromising credentials on a “legacy” test account, suggesting it had outdated code. After gaining a foothold, they used the account’s permissions to access the accounts of the senior leadership team and others. The brute-force attack technique used by the hackers is called “password spraying.”

The threat actor uses a single common password to try to log into multiple accounts. In an August blog post, Microsoft described how its threat-intelligence team discovered that the same Russian hacking team had used the technique to try to steal credentials from at least 40 different global organizations through Microsoft Teams chats.

In a 2021 blog post, Microsoft called the SolarWinds hacking campaign “the most sophisticated nation-state attack in history.” In addition to U.S. government agencies, including the Departments of Justice and Treasury, more than 100 private companies and think tanks were compromised, including software and telecommunications providers.

The main focus of the SVR is intelligence-gathering. It primarily targets governments, diplomats, think tanks and IT service providers in the United States and Europe.

The Associated Press contributed to this report.