Russian state-backed hackers breached Microsoft's core software systems, company says

Microsoft said it first detected the attack in January.

March 8, 2024, 12:31 PM

A Russian state-backed group that Microsoft said hacked into its corporate email accounts was able to gain access to its core software systems, the company announced on Friday.

Microsoft said its security team detected the attack in January and identified the group responsible as Midnight Blizzard, "the Russian state-sponsored actor also known as Nobelium."

A Microsoft logo adorns a building in Chevy Chase, Md., May 20, 2021.
Eva Hambach/AFP via Getty Images, FILE

"In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," Microsoft said in a blog post update on Friday. "This has included access to some of the company's source code repositories and internal systems."

The company said it has found no evidence that Microsoft-hosted customer-facing systems have been compromised due to the breach.

As of Friday, the incident has "not had a material impact" on Microsoft's operations, the company stated in an SEC filing.

"The Company has not yet determined that the incident is reasonably likely to materially impact the Company's financial condition or results of operations," the filing stated.

Midnight Blizzard is apparently attempting to use "secrets" that it has found in the hack, according to Microsoft.

"Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures," Microsoft said.

The volume of some aspects of the ongoing attack has intensified, increasing as much as 10-fold in February compared to January, Microsoft said. That includes "password sprays," in which a user uses a single common password against multiple accounts on the same application, the company said.

"Across Microsoft, we have increased our security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat," Microsoft said Friday. "We have and will continue to put in place additional enhanced security controls, detections, and monitoring."

The attack began in November, Microsoft said. The company was able to remove the hacker's access to the email accounts on Jan. 13, according to a company filing with the SEC.

The company said in its SEC filing on Friday that it continues to coordinate with federal law enforcement on the ongoing investigation into the incident.