After being attacked, the Microsoft is warning of the threat of the Midnight Blizzard. This group of hackers supported by Russia showed major security flaws at Microsoft, but the company now seems to want to say it has learned its lesson.
The Midnight Blizzard group (also known as Nobelium) was able to obtain the email information of high-level Microsoft executives through an old tenant. Through this tenant, which was apparently no longer known to Microsoft's security teams, the group was able to move laterally to access emails. We wrote a post on the subject shortly after the incident last week.
In an extensive blog, Microsoft explains how the company discovered Midnight Blizzard's business. It also tries to emphasize that infiltration could not just happen to customers. If the affected legacy tenant had been deployed today, current practices would have prevented an attack, Microsoft says. However, this explanation will not dispel experts' criticism of the incident.
Ancient history
It is commendable that Microsoft is open about the methods of an attacker who penetrated the company itself. These initiatives help other organizations prepare for similar incidents. However, it is notable that the new blog repeats a lot of information from previous coverage. In fact, in June 2023, Microsoft raised the alarm about Midnight Blizzard's tactics. Stolen credentials, vulnerabilities in webmail software and the deployment of JavaScript malware were mentioned. The tech giant also published a blog two months later showing that Midnight Blizzard tricked people on Teams to bypass MFA. By the way, the attack on Microsoft did not require this, as MFA was disabled to access the corporate environment.
Now, Microsoft is highlighting the real steps the group took to enter the Redmond-based company and remain invisible. Initial access was gained through password spraying, while OAuth applications were deployed for malicious purposes. These tools made it possible to receive authentication for Microsoft Exchange Online, where corporate emails were located. The hackers then avoided detection by operating through dead-end residential IP addresses.
In statements to Politico, nbhd.ai CTO Marc Rogers suggests that Microsoft's rhetoric is misleading. “In fact, it appears that there is a massive failure of security best practices,” he argues. CrowdStrike senior vice president of adversary operations Adam Meyers added: “I can tell you as someone who works at a security company: our executives are not sitting in legacy tenants without an MFA.”
Other organizations notified
Microsoft reveals on the blog that it knows that other organizations were also affected by the Midnight Blizzard. HPE is one of them, although the company could not immediately confirm a link between the Microsoft incident and its own infiltration. It remains to be seen which organizations were also successfully invaded. Either way, Midnight Blizzard is primarily targeting government departments, NGOs and large IT service providers in Europe and the US. The infamous SolarWinds hack of 2020 was also carried out by this group.
It is uncertain whether we will hear from each of the parties who have also been affected by this group. In any case, it would be an important cyber espionage campaign. Microsoft itself suggests that the attackers only intended to obtain the company's knowledge of the technology giant's activities. Given that Microsoft is the largest endpoint security company in the world, this goal and specific target are not entirely surprising.
However, we have to wonder why exactly corporate accounts were targeted. After all, the mailboxes of senior Microsoft (and HPE) employees contain much more information than just knowledge about the hacking group. From this stolen information, which will still be in the hands of Midnight Blizzard, many of Microsoft's future plans can be gleaned. However, little is known about the exact information that was stolen. We know from both Microsoft and HPE that only a “small portion” of the company's email boxes were involved. Therefore, the impact of this piracy is not yet known, as is who else was targeted by Midnight Blizzard.
