Russian group hacked email accounts of top Microsoft executives

On January 12, 2024, the Microsoft security team identified a nation-state attack on our corporate systems and promptly initiated our response protocol.

The goal was to investigate, disrupt malicious activities, mitigate the attack, and prevent the threat actor, identified as Midnight Blizzard, a Russian state-sponsored actor also known as Nobelium, from gaining further access.

This update is shared in adherence to our commitment to responsible transparency, as reaffirmed in our Secure Future Initiative (SFI).

Commencing in late November 2023, the threat actor employed a password spray attack to infiltrate a legacy non-production test tenant account, establishing a foothold.

Subsequently, leveraging the account’s permissions, the actor gained access to a limited number of Microsoft corporate email accounts, including those of senior leadership team members and employees in cybersecurity, legal, and various functions.

Some emails and attached documents were exfiltrated during this unauthorized access. The investigation suggests an initial focus on email accounts for information related to Midnight Blizzard.

We are currently in the process of informing employees whose emails were accessed.

The attack did not exploit any vulnerabilities in Microsoft products or services. As of now, there is no indication that the threat actor gained access to customer environments, production systems, source code, or AI systems. If any action is deemed necessary, we will promptly notify our customers.

This incident underscores the persistent risk posed to all organizations by well-resourced nation-state threat actors like Midnight Blizzard. As we emphasized in our announcement of the Secure Future Initiative (SFI) late last year, recognizing the reality of threat actors funded by nation-states, we are reevaluating the balance between security and business risk. The conventional calculus is no longer sufficient.

For Microsoft, this event has underscored the immediate necessity to expedite our actions. We will promptly implement our existing security standards across Microsoft-owned legacy systems and internal business processes, even if these changes lead to disruptions in established business processes. While this adjustment may cause some level of disturbance as we adapt to this new reality, it is a crucial step and merely the first in a series of measures we will be taking to embrace this philosophy.

The statement indicates, “Our investigation is ongoing, and we will implement further measures based on the findings. We will also maintain collaboration with law enforcement and relevant regulators. Our commitment to transparency remains strong, and we are dedicated to sharing more information and insights derived from our experience with the threat actor. Additional details will be provided as deemed appropriate.”