Microsoft Executive Emails Hacked by Russian Hackers

On Friday, reports emerged confirming Microsoft executive emails hacked by Russian intelligence group called Midnight Blizzard.

Microsoft Executive Emails Hacked

In a shocking revelation, a notorious Russia-linked hacking group hacked Microsoft executive emails. Microsoft states that the email accounts of its executives and senior leadership employees were breached during this cyber attack. In a statement, the company detected malicious activity by the Russian-aligned intelligence group Midnight Blizzard (aka Nobelium). In a regulatory filing filed Friday, Microsoft said a Russian intelligence group accessed some of its top executives’ emails. It appears that Nobelium, the group responsible for the breach of SolarWinds in 2020, carried out the attack that Microsoft detected last week.

As per the filing reported by Microsoft, “On January 12, 2024, Microsoft (the “Company” or “we”) detected that beginning in late November 2023, a nation-state associated threat actor had gained access to and exfiltrated information from a very small percentage of employee email accounts including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, on the basis of preliminary analysis. We were able to remove the threat actor’s access to the email accounts on or about January 13, 2024.”

In addition, The Cybersecurity and Infrastructure Security Agency (CISA) is “closely coordinating with Microsoft to gain additional insights into this incident and understand impacts so we can help protect other potential victims,” CISA executive assistant director for cybersecurity Eric Goldstein said in a statement to CNBC.

In November, hackers used a “password spray” attack to break into the company’s systems. The “brute force attack,” also known as “password guessing,” involves attackers quickly trying multiple passwords on the same user name to gain access to a targeted corporate account. Apart from the accessed accounts, the attackers also took emails and attachments. According to Microsoft, the hack was detected on January 12, and employees whose emails were accessed are still being notified.

SEC New Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

The announcement comes after new U.S. requirements for disclosing cybersecurity incidents took effect. According to a spokesperson for Microsoft, even though the attack did not have a material effect, it still wanted to honor the rules. According to the new rule guidelines, “The Securities and Exchange Commission today adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.”

Russian State-Sponsored Threat Actors and Cyber Attacks

The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment states that “…Russia will remain a top cyber threat as it refines and employs its espionage, influence, and attack capabilities” and that, “…Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.”

Russia’s war against Ukraine has been going on for almost two years now, and state-sponsored attacks that can leak sensitive data become more likely during periods of armed conflict. According to Russian media reports, Ukrainian forces conducted drone strikes in multiple Russian cities on Thursday.

Midnight Blizzard

In December 2023, the U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC)—released a joint Cybersecurity Advisory (CSA) regarding Russian-backed threat actor Midnight Blizzard. According to the advisory, “Since September 2023, Russian Foreign Intelligence Service (SVR)-affiliated cyber actors (also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard) have been targeting servers hosting JetBrains TeamCity software that ultimately enabled them to bypass authorization and conduct arbitrary code execution on the compromised server.”

Star Blizzard

According to the cyber security advisory released by CISA and FBI, “The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.”

Sandworm

CISA has also mentioned that they are aware that the actor known as Sandworm has used a new mobile malware in a campaign targeting Android devices used by the Ukrainian military. The malware is referred to here as Infamous Chisel. Organizations from the United Kingdom, United States, Australia, Canada, and New Zealand have previously linked the Sandworm actor to the Russian GRU’s Main Centre for Special Technologies GTsST.

Current Global Cyber Threat Landscape

In recent times, cyber attacks have been increasing at an enormous pace and a similar trend is expected to continue in 2024. The recent cyber attacks on Telecom giants, oil and gas industry, healthcare industry, automobile, intelligence services, utilities, and government agencies ring the bells to stay more cautious and take preventive measures to stay protected from such cyber threats in 2024.

For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.

Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.