The Russian hackers who infiltrated Microsoft have also been targeting other companies, according to the software giant.
On Friday, Microsoft provided more details about this month’s hack of its systems, which it blames on state-sponsored Russian hacking group Midnight Blizzard, also known as Cozy Bear.
In a blog post, the company wrote: “Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations."
The statement may raise worries that the Russian hackers used the breach into Microsoft as a launching pad for other attacks. But so far, the company has said: “There is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.”
The Russian hackers also didn’t break in using a software vulnerability. Friday’s post says Midnight Blizzard resorted to plugging in numerous passwords to gain access to a “legacy, non-production test tenant account” at Microsoft, likely for the company’s Azure cloud service. The same account also failed to activate two-factor authentication, enabling the hackers to gain easy access once the password had been guessed.
To avoid raising red flags, the Russian hackers plugged in their password guessing attempts “to a limited number of accounts, using a low number of attempts,” Microsoft said. In addition, the hackers used a residential internet proxy to make it look like the login attempts were occurring locally in the US, rather than outside the country.
“These evasion techniques helped ensure the actor obfuscated their activity and could persist the attack over time until successful," the company said.
Although the hackers gained access to what Microsoft says was a test account, it nevertheless contained access to a powerful OAuth application “that had elevated access to the Microsoft corporate environment.” OAuth is widely used in the tech industry so that one website can share data to another, without needing the password. Hence, compromising the OAuth application paved the way for Midnight Blizzard to break into email inboxes belonging to company executives. The apparent goal was to find out what Microsoft knew about Midnight Blizzard, a hacking group that the US and its allies suspect is tied to the Kremlin.
The company issued Friday’s blog post to help the industry defend against the hacking group. Microsoft didn’t identify the other organizations under threat. But days earlier Hewlett Packard Enterprise notified investors that Midnight Blizzard was able to breach its own email system sometime last year.