Microsoft said a Moscow-sponsored hacker group “exfiltrated some emails and attached documents” and “access to some of the company’s source code repositories and internal systems” since November 2023, and it is now continuing to use that compromised information to further its hacking attempts.

The company detected the attempts in January and identified the group as Midnight Blizzard, a Russian state-sponsored actor also known as Nobelium and Cozy Bear, who is known to be associated with Russia’s Foreign Intelligence Service (SVR) according to a Microsft cybersecurity report on Ukraine from June 2022.

Microsoft also believed the attacks were aimed at understanding the company’s level of knowledge about the group itself and not driven by commercial or financial motives.


Source: A slide taken from Microsoft’s Defending Ukraine: Early Lessons from the Cyber War report.

It is believed that Midnight Blizzard utilized password-spraying attacks, in which the same, commonly used passwords were used on multiple accounts in brute-force attacks.

Moscow Potentially Spying Through ‘Shadow Fleets’: Swedish Navy Chief
Other Topics of Interest

Moscow Potentially Spying Through ‘Shadow Fleets’: Swedish Navy Chief

The official said Sweden is now closely monitoring the ships Russia has used to bypass oil sanctions after spotting “antennas and masts” atypical of fishing vessels.

During last year’s attempts, the group first compromised a dormant account, then it used the newly gained permissions to get ahold of “a very small percentage of Microsoft corporate email accounts,” including that of senior Microsoft personnel and employees in the cybersecurity, legal and other teams.

It then extracted “some emails and attached documents” and “access to some of the company’s source code repositories and internal systems,” where it continued to use the compromised info to further its hacking efforts.


“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems.

“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” read the Microsoft blog post.

The company added that it has “found no evidence” that its customer-facing systems have been compromised.”

Microsoft also said it registered an increased volume of attacks by Midnight Blizzard “by as much as 10-fold” in February compared to the month prior, and the likely involvement of state actors such as Moscow has highlighted certain risks in the cybersecurity landscape.

“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so.


“This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks,” read the blog post.

The company said investigations are ongoing.

Midnight Blizzard was also the group behind the 2020 SolarWinds hack, where multiple US federal agencies were compromised.

To suggest a correction or clarification, write to us here
You can also highlight the text and press Ctrl + Enter

Comments (0)
Write the first comment for this!