Last week, Microsoft disclosed that it had detected a nation-state attack on its corporate systems, carried out by the same Russian state-sponsored hackers responsible for the SolarWinds attack. These hackers managed to breach the email accounts of certain members of Microsoft’s senior leadership team, potentially spying on them for weeks or even months.
Although Microsoft didn’t offer many specifics on the attackers’ entry in its initial SEC disclosure last Friday, the company has now released an initial analysis of how the hackers breached its security. Microsoft also issued a warning that the same hacking group, called Nobelium or nicknamed “Midnight Blizzard” by Microsoft, has been going after other organizations.
Nobelium first entered Microsoft’s systems using a password spray attack. This kind of attack involves hackers trying a bunch of potential passwords from a dictionary on various accounts. The crucial point here is that the breached non-production test tenant account didn’t have two-factor authentication enabled. Microsoft mentions that Nobelium “tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection.”
From this attack, the group “leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment.”
OAuth is a popular open standard for token-based authentication. It’s widely used on the internet, enabling you to log into apps and services without sharing your password directly with a website. For instance, when you sign into various websites using your Gmail account, that’s OAuth at work.
With this heightened access, the group could generate additional harmful OAuth applications and establish accounts to enter Microsoft’s corporate environment, eventually gaining access to its Office 365 Exchange Online service, which provides entry to email inboxes.
“Midnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts,” explains Microsoft’s security team.
Microsoft hasn’t shared the exact number of its corporate email accounts that were targeted and breached. However, the company characterized it as “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.”
Microsoft hasn’t provided a precise timeline for how long the hackers were monitoring its senior leadership team and other employees. While the initial attack occurred in late November 2023, Microsoft only detected it on January 12th. This suggests that the attackers might have been spying on Microsoft executives for nearly two months.