Microsoft: Russians are using stolen information to breach company’s systems

Microsoft warned on Friday that Russian hackers behind several headline-grabbing attacks on the U.S. government are now exploiting information they stole from the tech giant’s systems in November.

Microsoft’s Security Team said that in recent weeks, it has seen evidence that cyber-espionage group attributed to Russia’s Foreign Intelligence Service (SVR) has been using information exfiltrated from the company’s corporate email enivronment.

The hackers are leveraging what they took in the November incident — which was discovered in January — to ”gain, or attempt to gain, unauthorized access.”

“This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised,” Microsoft said.

Friday’s warning concerns a cyber-espionage unit Microsoft calls Midnight Blizzard, which the U.S. government has linked to the SVR.

“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” Microsoft said.

The group has greatly increased some aspects of the operation, such as “password sprays,” or using discovered passwords on multiple accounts to try to get access, Microsoft said.

The company added that the group may be using the information it has to “accumulate a picture of areas to attack and enhance its ability to do so.” The investigation into the campaign is ongoing, but Microsoft warned that the attack is “characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus.”

Microsoft filed documents with the Securities and Exchange Commission (SEC) that reiterated what was in the blog post.

Midnight Blizzard is also known to Western cybersecurity researchers as Cozy Bear, BlueBravo and APT29.

Microsoft initially announced the issue on January 19 and said the campaign began in late November 2023, when hackers compromised a test account and accessed the email accounts of Microsoft’s senior leadership team as well as employees involved in cybersecurity, legal, and other functions.

The hackers stole emails and attached documents during the attack. A Microsoft investigation indicated that the hackers were looking for information about themselves. Microsoft drew criticism for not explaining how hackers were able to pivot from what they called “non-production test accounts” into the inboxes of the company’s senior leaders.

Midnight Blizzard, which Microsoft used to call Nobelium, is well known for its 2020 attack on tech company SolarWinds, which gave it widespread access to several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, State Department and other parts of the U.S. government.

Last week, Britain’s National Cyber Security Centre (NCSC) and international partners from the Five Eyes alliance warned that the SVR is adapting its techniques to hack into organizations that have moved networks into cloud-hosted environments.

Over the past 12 months, the hackers have “been observed stealing system-issued access tokens to compromise victim accounts.” These access tokens can be stolen if the hackers compromise personal, unmanaged devices that have access to corporate resources.