News

Microsoft Source Code Was Accessed by Midnight Blizzard Attackers

Microsoft this week provided an update on the "Midnight Blizzard" purported nation-state attack that had compromised its corporate e-mails late last year.

The update, authored by the Microsoft Security Response Center (MSRC), added new information that the Midnight Blizzard advanced persistent threat group, thought to be Russia affiliated, used information from compromised e-mails to access some of Microsoft's source code. While accessing source code is a bad outcome, Microsoft suggested that it may not have affected its services to customers.

Here's how the MSRC put it:

In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.

The update further explained that the attack group has attempted to use "secrets" (internal access codes) that were included in some of Microsoft's e-mails to its customers. Microsoft has been "reaching out to these customers" with "mitigating measures."

Microsoft initially had reported the exfiltration of e-mails by Midnight Blizzard back in January,  and had indicated back then that the attack likely started in late November 2023. Microsoft's initial report on this incident didn't mention that source code had been accessed by the attackers, which is new information.

Midnight Blizzard had used the "password spray" method to guess the passwords of Microsoft's nonproduction test accounts, and then escalated privileges from there. These password spray attacks didn't stop after Microsoft's disclosure in January, but instead increased "by as much as 10-fold in February."

In addition to the MSRC post, Microsoft released an amended 8-K Form, dated March 8, with the U.S. Securities and Exchange Commission, which reported the source code access. This amended 8-K Form explained that the "threat actor's activities are ongoing" with regard to using e-mail information to access its source code.

"As of the date of this filing, the incident has not had a material impact on the Company’s operations," the amended 8-K Form indicated. However, it also explained that Microsoft hasn't yet made a full determination.

The use of 8-K forms to report cyberattacks seems kind of new. Hewlett Packard Enterprise, also hit by Midnight Blizzard, used the same publication route, without issuing a public announcement.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

comments powered by Disqus

Subscribe on YouTube