Last Friday, Microsoft dropped a cyber bombshell, revealing that it had been victims of a cunning cyber attack orchestrated by Russian government spies. And now, one week later, the tech giant has discovered that they were not the sole target of this espionage operation.
In a new illuminating blog post, Microsoft shared that “the same bad actors responsible for the breach have also targeted other individuals and corporations. As part of our standard notification protocol, we have begun alerting these affected parties.”
At this point, the scale of the hack remains imprecise, and it’s uncertain how many organizations were targeted by the Russian-backed hackers.
If you have any information regarding this attack, we want to hear from you. Securely contact Lorenzo Franceschi-Bicchierai at +1 917 257 1382 via Signal, or through Telegram, Keybase, and Wire at @lorenzofb. You can also reach us via SecureDrop.
A Microsoft spokesperson did not provide a response when asked about the number of parties that have been notified so far.
The infamous hackers identified by Microsoft as Midnight Blizzard are largely believed to work for Russia’s Foreign Intelligence Service, also known as SVR. Various other security firms refer to this group as APT29 or Cozy Bear.
Microsoft disclosed that they first detected this incursion on January 12th. They then traced the start of the hack to late November of last year, when the hackers deployed a “password spray attack” on a legacy system that lacked multi-factor authentication.
“Password spraying” comprises guessing login information to access accounts, using passwords found in previous data breaches or commonly utilized passwords.
“The hacker honed in on a limited number of accounts and attempted access with a low number of tries to avoid detection. To further evade their activity from being discovered, the hackers utilized a dispersed residential proxy network. These diversion methods helped shield the hacker’s actions to persist and pave the way for success,” The company detailed in their latest blog post.
Once the Russian-backed hackers gained entry into an account on the legacy system, they used the account’s authorization to view a minimal number of Microsoft employee emails, as the company has not disclosed the number of compromised email accounts.
Microsoft specified that the hackers had their sights set on the company’s high-ranking executives as well as individuals working in their legal, cybersecurity, and other divisions. The hackers were capable of purloining “a few emails and attached documents.”
It’s intriguing that the hacker’s primary focus was on personal information about themselves, specifically what Microsoft knows about them.
On the flip side, Hewlett Packard Enterprise (HPE) reported that their Microsoft hosted email system was also targeted by Midnight Blizzard. HPE mentioned that they became aware of the breach — without disclosing by who — on December 12. They’ve since conducted an internal investigation that confirmed “data” was stolen from a “few” HPE user mailboxes, beginning in 2023.
It’s still unclear how if the hackers’ Unity hack is somehow linked to the espionage operation that was aimed at Microsoft. HPE reported that incident was linked to another, earlier hack where the same group exfiltrated a small number of files from their Microsoft network.
HPE spokesperson Adam R. Bauer informed TechCrunch: “At this point, we do not have all the particulars about industry practices employed by Microsoft last week. For the present, we are not capable of making any connection.”
