Microsoft says the Russian 'Midnight Blizzard' hacking group recently accessed some of its internal systems and source code repositories using authentication secrets stolen during a January cyberattack.

In January, Microsoft disclosed that Midnight Blizzard (aka NOBELIUM) had breached corporate email servers after conducting a password spray attack that allowed access to a legacy non-production test tenant account.

A later blog post revealed that this test account did not have multi-factor authentication enabled, allowing the threat actors to gain access to breach Microsoft's systems.

This test tenant account also had access to an OAuth application with elevated access to Microsoft's corporate environment, allowing the threat actors to access and steal data from corporate mailboxes, including members of Microsoft's leadership team and employees in the cybersecurity and legal departments.

The company believes the threat actors breached some of these email accounts to learn what Microsoft knew about them.

Midnight Blizzard hacks Microsoft again

Today, Microsoft says that Midnight Blizzard is using secrets found in the stolen data to gain access to some of the company's systems and source code repositories in recent weeks.

"In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," reads a new blog post by the Microsoft Security Response Center.

"This has included access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised."

While Microsoft has not explained precisely what these "secrets" include, they are likely authentication tokens, API keys, or credentials.

Microsoft says they have begun contacting customers whose secrets were exposed to the threat actors in stolen emails between them and Microsoft.

"It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures," continued Microsoft.

The company says that Midnight Blizzard is also ramping up its password spray attacks against targeted systems, observing a 10-fold increase in February compared to the volume they saw in January 2024.

A password spray is a type of brute force attack where threat actors collect a list of potential login names and then attempt to log in to all of them using a long list of possible passwords. If one password fails, they repeat this process with other passwords until they run out or successfully breach the account.

For this reason, companies must configure MFA on all accounts to prevent access, even if credentials are correctly guessed.

In an amended Form 8-K filing with the SEC, Microsoft says they have increased security across their organization to harden it against advanced persistent threat actors.

"We have increased our security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat," reads the 8-K filing.

"We continue to coordinate with federal law enforcement with respect to its ongoing investigation of the threat actor and the incident."

Who is Midnight Blizzard

Midnight Blizzard (aka Nobelium, APT29, and Cozy Bear) is a state-sponsored hacking group linked to Russia's Foreign Intelligence Service (SVR).

The hackers gained prominence after conducting the 2020 SolarWinds supply chain attack, which allowed the threat actors to breach numerous companies, including Microsoft.

Microsoft later confirmed that the attack allowed Midnight Blizzard to steal source code for a limited number of Azure, Intune, and Exchange components.

In June 2021, the hacking group once again breached a Microsoft corporate account, allowing them to access customer support tools.

Since then, the hacking group has been linked to large number of cyberespionage attacks against NATO and EU countries, targeting embassies and government agencies.

In addition to conducting cyberespionage and data theft attacks, Nobelium is known for developing custom malware to use in their attacks.