BOSTON — State-backed Russian hackers broke into Microsoft’s corporate email system and gained access to the accounts of members of the company’s leadership team, as well as those of employees on its cybersecurity and legal teams, the company said Friday.
In a blog post, Microsoft said the intrusion started in late November and was discovered on January 12. It said the same highly skilled Russian hacking team behind the SolarWinds breach was responsible.
“A very small percentage” of Microsoft corporate accounts were accessed, the company said, and some emails and attached documents were stolen.
A company spokesperson said Microsoft had no immediate comment on which or how many members of upper management had their email accounts hacked. In a regulatory filing Friday, Microsoft said it was able to remove the hackers’ access to the compromised accounts on or around Jan. 13.
“We are in the process of notifying employees whose emails have been opened,” Microsoft said, adding that the investigation shows the hackers initially targeted email accounts for information related to their activities.
The revelation by Microsoft comes a month after a new U.S. Securities and Exchange Commission rule took effect that forces publicly traded companies to disclose breaches that could negatively impact their businesses. It gives them four days to do so unless they receive a national security waiver.
In Friday’s SEC filing, Microsoft said that “as of the date of this filing, the incident has not had a material impact” on its business. It added that, however, it has not “determined whether the incident is reasonably likely to have a material impact” on its finances.
Microsoft, based in Redmond, Washington, said the hackers from Russia’s foreign intelligence service SVR were able to gain access by compromising the login credentials of a “legacy” test account, suggesting it contained outdated code. Once they gained a foothold, they used the account permissions to access the accounts of the senior leadership team and others. The brute-force attack technique used by the hackers is called ‘password spraying’.
The threat actor uses a single, common password to attempt to log into multiple accounts. In an August blog post, Microsoft described how its threat intelligence team discovered that the same Russian hacking team had used the technique to steal login credentials from at least 40 different global organizations through Microsoft Teams chats.
“The attack was not due to a vulnerability in Microsoft products or services,” the company said in the blog. “To date, there is no evidence that the threat actor had access to customer environments, production systems, source code or AI systems. We will notify customers if action is required.”
Microsoft calls the hacking unit Midnight Blizzard. Before it revamped its nomenclature of threat actors last year, it called the group Nobelium. The cybersecurity company Mandiant, owned by Google, calls the group Cozy Bear.
In a 2021 blog post, Microsoft called the SolarWinds hacking campaign “the most sophisticated nation-state attack in history.” In addition to US government agencies, including the Departments of Justice and Treasury, more than a hundred private companies and think tanks were also compromised, including software and telecommunications providers.
The main focus of the SVR is intelligence gathering. It focuses primarily on governments, diplomats, think tanks and IT service providers in the US and Europe.