Internet

Microsoft explains how Russian hackers carried out a state-sponsored attack

Last week, Microsoft disclosed that it had detected a nation-state attack on its corporate systems, carried out by the same Russian state-sponsored hackers responsible for the SolarWinds attack. These hackers managed to breach the email accounts of certain members of Microsoft’s senior leadership team, potentially spying on them for weeks or even months.

Although Microsoft didn’t offer many specifics on the attackers’ entry in its initial SEC disclosure last Friday, the company has now released an initial analysis of how the hackers breached its security. Microsoft also issued a warning that the same hacking group, called Nobelium or nicknamed “Midnight Blizzard” by Microsoft, has been going after other organizations.

Nobelium first entered Microsoft’s systems using a password spray attack. This kind of attack involves hackers trying a bunch of potential passwords from a dictionary on various accounts. The crucial point here is that the breached non-production test tenant account didn’t have two-factor authentication enabled. Microsoft mentions that Nobelium “tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection.”

From this attack, the group “leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment.”

OAuth is a popular open standard for token-based authentication. It’s widely used on the internet, enabling you to log into apps and services without sharing your password directly with a website. For instance, when you sign into various websites using your Gmail account, that’s OAuth at work.

With this heightened access, the group could generate additional harmful OAuth applications and establish accounts to enter Microsoft’s corporate environment, eventually gaining access to its Office 365 Exchange Online service, which provides entry to email inboxes.

“Midnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts,” explains Microsoft’s security team.

Microsoft hasn’t shared the exact number of its corporate email accounts that were targeted and breached. However, the company characterized it as “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.”

Microsoft hasn’t provided a precise timeline for how long the hackers were monitoring its senior leadership team and other employees. While the initial attack occurred in late November 2023, Microsoft only detected it on January 12th. This suggests that the attackers might have been spying on Microsoft executives for nearly two months.

Rohan Sharma

Recent Posts

Best Video Editing Software For PC

Video editing is one of the most in-demand skills in today’s content creation era. If…

8 months ago

Samsung planning to introduce blood glucose monitoring with Galaxy Watch 7

There have been whispers about Samsung's ambition to equip their wearable gadgets with a neat trick:…

8 months ago

TSMC to lock horns with Intel with its A16 chip manufacturing tech

Taiwan Semiconductor Manufacturing Co (TSMC) recently dropped the news that they're gearing up to kick off production…

8 months ago

Is ChatGPT accurate and should we believe what it says?

Modern chatbots like ChatGPT can churn out dozens of words per second, making them incredibly…

8 months ago

Mark Zuckerberg claims Meta is years away from making money through gen AI

The race for generative AI is in full swing, but don't count on it raking…

8 months ago

How JioCinema’s dirt cheap plans can mean trouble for Netflix, Amazon Prime

JioCinema, the famous Indian on-demand video-streaming service, unveiled a new monthly subscription plan, starting at…

8 months ago