Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems

Sicherheit (Pexels, allgemeine Nutzung)[German]Microsoft has now had to confirm that Russian cyber spies from the Midnight Blizzard group not only had access to the email accounts of Microsoft management in January 2024. The attackers were also able to gain access to internal systems and access product source codes. Microsoft has indications that further accesses were made following the January 2024 hack, during which source code was also accessed.


The Midnight Blizzard hack (Jan 2024)

On January 12, 2024, the Microsoft security team noticed an attack on its corporate IT. By January 19, 2024, Microsoft had addressed this in a short sec.go message (post since deleted) and made it public in the article Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard. The short version:

  • On January 12, 2024, the Microsoft security team became aware of a state-sponsored attack on its own corporate systems.
  • Microsoft refers to the attackers as Midnight Blizzard or Nobelium or Cozy Bear, a Russian state-sponsored hacker group, presumably belonging to the Russian Foreign Intelligence Service (SVR).
  • The attackers gained access to a non-productive test tenant account at the end of November 2023 through a password spray attack.
  • Using this account, the attackers were able to extend the permissions and access email accounts hosted by Microsoft.

This probably gave the attackers access to any Microsoft email account. The January 2024 notification stated that the attacker had only accessed "a very small percentage of Microsoft corporate email accounts" with the account permissions obtained. However, these included Microsoft management email accounts. Naturally, Microsoft "responded immediately and stopped the attack".

I had reported the details in the blog post Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023 and already explained my view of things. Not everything was commented on and days later the HPE hack became known (Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023). There had to be more to come.

New attacks and source codes extracted

In an updated report to the U.S. Securities and Exchange Commission (SEC) and in an article Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard, Microsoft provided more details about the security breach as of March 8, 2024. Here are the key statements:

  • In recent weeks, Microsoft has found evidence that Midnight Blizzard used information originally exfiltrated from the company's email systems to gain or attempt to gain unauthorized access.
    This included access to some of the company's source code repositories and internal systems.
    To date, we have found no evidence that customer systems hosted by Microsoft have been compromised.

In the article, Microsoft speaks of an ongoing attack by Midnight Blizzard that is characterized by a sustained, significant use of resources, coordination and concentration by the threat actor. It is apparent that Midnight Blizzard is attempting to exploit various types of confidential information it has discovered. Some of this confidential information was exchanged between customers and Microsoft via email, the company writes. This could be determined from the exfiltrated e-mails. The customers were informed of this (it is not clear whether this also affected the HPE case, which was also hacked).


Microsoft suspects that Midnight Blizzard is using the information obtained to get an idea of the IT structures under attack and to improve its capabilities. Midnight Blizzard increased the volume of some aspects of the attack, such as password sprays, tenfold in February compared to the already large volume we saw in January 2024. According to Microsoft, this reflects an unprecedented global threat landscape, particularly in terms of sophisticated nation-state attacks.

Redmond writes that it has increased investment in security, cross-company coordination and mobilization, and improved its own ability to defend itself and secure and harden its environment against this advanced persistent threat. The old question remains: "After the game is before the game", when will the next hack be reported?

Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *