Getty Images
Russian state hackers used a weak password to compromise Microsoft's corporate network and accessed emails and documents from senior executives and employees in its security and legal departments, Microsoft said late Friday.
The attack, which Microsoft attributed to a Kremlin-backed hacking group called Midnight Blizzard, is at least the second time in as many years that violations of basic security hygiene have resulted in a breach that could potentially harm customers. One paragraph in Friday's disclosure filed with the Securities and Exchange Commission was startling:
Starting in late November 2023, the threat actor used a password spray attack to compromise and gain a foothold on an old, non-production test tenant account, then leveraged the account's privileges to access a very small percentage of Microsoft corporate email -Accounts, including members of our senior leadership team and employees in cybersecurity, legal and other functions exfiltrated some emails and attached documents. The investigation revealed that they initially targeted email accounts to obtain information related to Midnight Blizzard itself. We are in the process of notifying the employees whose emails were accessed.
Microsoft only discovered the breach on January 12, exactly a week before Friday's disclosure. Microsoft's account suggests that the Russian hackers had continuous access to the accounts for up to two months.
A translation of the 93 words quoted above: A device on the Microsoft network was protected by a weak password without using two-factor authentication. The Russian adversary group was able to guess it by peppering it with previously compromised or commonly used passwords until they finally landed on the right one. The threat actor then accessed the account and stated that either 2FA was not in use or the protection was somehow bypassed.
Advertising
Furthermore, this “old, non-production test tenant account” was somehow configured to allow Midnight Blizzard to switch and gain access to some of the company's most senior and sensitive employee accounts.
Steve Bellovin, a computer science professor and law professor at Columbia University with decades of cybersecurity experience, wrote on Mastodon:
There are many fascinating implications here. A successful password spray attack suggests the absence of 2FA and either reused or weak passwords. Access to email accounts belonging to “senior leadership, cybersecurity, and legal teams” using only the permissions of a “test tenant account” suggests that someone has given this test account amazing privileges. Why? Why wasn't it removed after testing was completed? I also note that it took Microsoft about seven weeks to detect the attack.
While Microsoft said it knew of no evidence that Midnight Blizzard gained access to customer environments, production systems, source code or AI systems, some researchers expressed doubts, particularly about whether the Microsoft 365 service could be or was vulnerable to similar attack techniques. One of the researchers was Kevin Beaumont, who has had a long career in cybersecurity, including at Microsoft. On LinkedIn he wrote:
Microsoft employees use Microsoft 365 for email. SEC filings and blogs with no details on Friday night are great. But they need to be followed up with actual details. The days of Microsoft setting up tents, using incident code words, CELA-enabled things, and pretending MSTIC sees everything (threat actors have Macs too) are over – they need to make radical technical and cultural changes to increase trust to preserve.
CELA is short for Corporate, External and Legal Affairs, a group within Microsoft that helps draft disclosures. MSTIC stands for Microsoft Threat Intelligence Center.