Microsoft revealed on January 19 that a nation-state-backed attack occurred starting in November 2023 in which the Russian state-sponsored threat actor group Midnight Blizzard accessed some Microsoft emails and corporate documents through through compromised email accounts.
The attackers gained access in November 2023 using a legacy test tenant account. From there, they could use that account's permissions to access a small number of Microsoft corporate email accounts; some of those accounts were for members of the senior leadership team. Other people whose email accounts were accessed work in the legal and cybersecurity teams, among other roles.
“The investigation indicates that they initially searched email accounts for information related to Midnight Blizzard,” the Microsoft Security Response Center team wrote in the Jan. 19 blog post.
“The attack was not the result of a vulnerability in Microsoft products or services,” the Microsoft team wrote. “To date, there is no evidence that the threat actor had access to customer environments, production systems, source code, or artificial intelligence systems. We will notify customers if any action is required.”
How did Midnight Blizzard access Microsoft email accounts?
The Midnight Blizzard threat actor group used a technique called a password spray attack. Password spraying is a brute force attack in which threat actors spam or “spray” commonly used passwords against many different accounts in an organization or application.
How to defend against password spraying attacks
The threat of a password spray attack is a good opportunity to ensure your organization is using multi-factor authentication, controlling older trial and expired accounts, and running up-to-date SIEM software.
Password spraying attacks can be marked by a sharp increase in the number of incorrect password attempts or by unusually spaced times between attempts. This type of attack can be effective if users are not forced to change their passwords the first time they log in. Rigorous login detection, strong locking policies, and password managers can reduce the chance of a password spraying attack.
SEE: These are the current trends in ransomware, network infrastructure attacks and other cyber threats. (Technological Republic)
“Companies should prioritize educating employees about the benefits of strong passwords and 2FA, as well as the characteristics of social engineering attacks, malicious links and attachments, and the dangers of insecure password sharing,” said Gary Orenstein, customer service director of the password management service. signs Bitwarden, in an email to TechRepublic. “Raise awareness of the organization's culture through simulations or interactive modules to instill better security habits and reinforce a resilient cybersecurity posture.”
Challenges in confronting nation-state actors
State-sponsored attacks will be one of the leading cybersecurity threats in 2024. These attacks highlight the need for comprehensive incident response plans and threat intelligence monitoring, especially among organizations that could be specifically targeted, such as large technology or infrastructure companies.
Regarding state actors specifically, Microsoft said that attacks like the recent password spraying attack caused the company to change “the balance we need to strike between security and business risk; the traditional type of calculation is simply not enough anymore.”
“For Microsoft, this incident has highlighted the urgent need to act even faster. “We will act immediately to apply our current security standards to legacy systems and internal business processes owned by Microsoft, even when these changes may cause disruptions to existing business processes,” Microsoft wrote.
Editor's note: When TechRepublic contacted Microsoft for more information, the tech giant pointed us to its blog post.