Microsoft got hacked by state sponsored group it was investigating

In a spy-vs-spy type of scenario, Microsoft has acknowledged that a group called Midnight Blizzard (also known as APT29 or Cozy Bear), gained access to a Microsoft legacy non-production test tenant account.

According to Microsoft, the group managed to access the account in November after subjecting it to a password spray attack, a type of brute force attack where the attacker tries a large amount of logins until they succeed. The group used this foothold to access some of Microsoft’s corporate email accounts and steal some emails and attached documents.

Cozy Bear, who is generally linked to the Russian Foreign Intelligence Service, also known as the SVR, appears to have been curious to find out what information Microsoft had gathered about it. Cozy Bear is generally believed to be behind the SolarWinds attack and attacks on several US institutions, including the State Department, the White House, and the DNC. On all these occasions, the Dutch alerted the US intelligence services.

Microsoft’s investigation about the attack showed that the group was not after customer data or corporate information, but instead something closer to home:

“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself.”

To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems, but the investigation is still ongoing. Microsoft has promised to provide additional details as appropriate.

Generally speaking, the larger an organization is, the larger the attack surface, but with companies like Microsoft people expect a tighter security. It is, after all, a security software vendor as well. So, the fact that Cozy Bear was able to stay undetected for months comes as a surprise to many.

Apparently, the attack scared Microsoft itself as well: It says that it feels the need to speed up its cyberprotection advancement project, the Secure Future Initiative, given how well-funded and resourced the attackers are.

“We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.”

This attack can generally be seen as a warning to every other organization that has information which might be of interest to foreign governments.

The more an organization has grown, the larger the chance that legacy accounts exist and may even be neglected. Compare the organization to an office building: The more doors and windows (pun intended) exist, the larger the chance that one is left open. And if there are offices that are no longer in use, the chance of an opening grows exponentially.