On Friday, Microsoft revealed that it had been the victim of a hack carried out by Russian government spies. Now, a week later, the technology giant said that it was not the only target of the espionage operation.
In a new blog post, Microsoft said that “the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.”
At this point, it’s unclear how many organizations the Russian-backed hackers targeted.
Do you have more information about this hack? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email email@example.com. You also can contact TechCrunch via SecureDrop.
When asked by TechCrunch to provide a specific number of victims it has notified so far, a Microsoft spokesperson declined to comment.
Microsoft identified the hackers as the group it calls Midnight Blizzard. This group is widely believed to be working for Russia's Foreign Intelligence Service, or SVR. Other security companies call the group APT29 and Cozy Bear.
Microsoft said it detected the intrusion on January 12, and then established that the hacking campaign started in late November, when the hackers used a “password spray attack” on a legacy system that did not have multi-factor authentication enabled. Password spraying is when hackers attempt to brute-force access to accounts using commonly used passwords, or a larger list of passwords from past data breaches.
“The actor tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures,” Microsoft wrote in its latest blog post. “The threat actor further reduced the likelihood of discovery by launching these attacks from a distributed residential proxy infrastructure. These evasion techniques helped ensure the actor obfuscated their activity and could persist the attack over time until successful.”
Once the Russian-backed hackers gained access to an account on that legacy system, they “used the account’s permissions to access a very small percentage of Microsoft corporate email accounts,” according to Microsoft, which has not yet specified how many email accounts were compromised.
Microsoft, however, said that the hackers specifically targeted the company's senior executives, as well as people who work in cybersecurity, legal, and other departments. The hackers were able to steal “some emails and attached documents.”
Curiously, the hackers were interested in finding out information about themselves, specifically what Microsoft knows about them, the company said.
On Thursday, Hewlett Packard Enterprise (HPE) disclosed that its Microsoft-hosted email system was hacked by Midnight Blizzard. HPE said it was notified of the breach — without saying by whom — on December 12. The company said that according to its own investigation, the hackers “accessed and exfiltrated data” from a “small percentage” of HPE mailboxes starting in May 2023.
It’s unclear how, or if, this breach is linked to the hackers' espionage campaign targeting Microsoft, as HPE said its incident was connected to an earlier intrusion where the same hackers exfiltrated “a limited number of SharePoint files” from its network.
“We don’t have the details of the incident that Microsoft experienced and disclosed last week, so we’re unable to link the two at this time,” HPE spokesperson Adam R. Bauer told TechCrunch.
Updated with Microsoft declining to comment.