Photo 230983080 © Rokas Tenys |

Microsoft Hacked by the Russians

Jan. 23, 2024
The same cybercriminals, linked to Russian intelligence services, are also responsible for one of the most infamous hacks of all time.

Editor's Note: BleepingComputer reported on Wednesday that Hewlett Packard Enterprise revealed via its own Form 8-K SEC filing that the company was also hacked by the Midnight Blizzard cybercriminal organization, resulting in stolen data from multiple departments.

Microsoft technically didn’t have to tell the SEC that it failed to apply very basic cybersecurity protections to an email account and paid the price, but late on Friday afternoon admitted the mistake anyway.

Microsoft specifically told the world that a Russian state-sponsored cybercrime group known as Midnight Blizzard gained a beachhead onto Microsoft’s network through a “password spray attack.”

The breached account was a “test tenant” account, meaning it was probably used for testing and development purposes versus a live email account used by an employee on a regular basis. But the incident does show just how on top of things cybersecurity teams (including yours) need to be, because the smallest keyhole may open doors that really ought to remain shut.

Especially when the hackers are also known as Nobelium or APT29, tied to Russia’s Foreign Intelligence Service (SVR), and responsible for causing billions of dollars’ worth of damage to some of the world’s largest tech companies in the notorious SolarWinds hack reported in 2020.

As explained by BleepingComputer, password spraying means collecting a list of potential login names and attempting to log into all of them with the same password. The hackers either eventually run out of passwords or hit paydirt and breach an account. And, as also pointed out by BleepingComputer, this only works if the account doesn’t have additional protections like multi-factor authentication.

The Russian hackers then used permissions attached to a hacked account to access corporate email accounts “including members of our senior leadership team and employees in our cybersecurity, legal, and other functions,” according to Microsoft’s notice.

The hackers were apparently looking for information related to the state-sponsored group and stole emails with attached documents.

Microsoft did not under the new SEC reporting rules have to report the breach because, as stated in the Form 8-K filing dated January 17, the hack “the incident has not had a material impact on the Company’s operations.”

However, Microsoft also reported The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”

Tyler Farrar, CISO at cybersecurity firm Exabeam, tells IndustryWeek that this is a wake-up call.

The recent Microsoft email system breach serves as a critical reminder of the evolving complexities in cybersecurity. The attackers capitalized on the path of least resistance, exploiting a legacy, non-production account, underscoring the often overlooked concept of latent security vulnerabilities within organizations,” says Farrar.

This is a crucial learning point for the cybersecurity community. It reinforces the importance of adopting comprehensive, AI-enhanced security measures to proactively identify and mitigate hidden risks. Consider this event a stark reminder that in the digital age, vigilance and advanced technology are key to safeguarding against sophisticated cyber threats,” Farrar adds.

Popular Sponsored Recommendations

Why Cybersecurity Maturity Model Certification (CMMC) is so important.

Dec. 14, 2022
Defense contractors face the very real threat of losing business if they are noncompliant with the Cybersecurity Maturity Model Certification (CMMC) standard. But what is it exactly...

Electric Vehicles Spark New Opportunities in the Automotive Industry

Dec. 4, 2023
Automakers have increased plans to produce Electric Vehicles to meet customer demand for low emissions. With this radical shift, new opportunities and challenges for the auto ...

Legacy Phone Lines Are Draining Your Profits

Oct. 30, 2023
Copper wire phone line expenses that support emergency devices could be costing your company millions of dollars in wasteful overhead expenses. Rates have been skyrocketing while...

Navigate Complex Cybersecurity Requirements With Purpose-Built Technology Solutions

Dec. 6, 2023
The CMMC represents a critical mandate from the U.S. DOD. Aerospace & Defense manufacturers that handle controlled unclassified information (CUI) must comply with CMMC requirements...

Voice your opinion!

To join the conversation, and become an exclusive member of IndustryWeek, create an account today!