NewsroomCyber Attack / Threat Intelligence
On Friday, Microsoft announced that the Kremlin-supported group known as Midnight Blizzard (also called APT29 or Cozy Bear) accessed some of its source code repositories and internal systems after a hack discovered in January 2024.
“Recently, we have seen proof that Midnight Blizzard is using information taken from our corporate email systems to try to gain unauthorized access,” the tech giant said.
“This included access to some of our source code repositories and internal systems. So far, we have found no evidence that customer-facing systems have been compromised.”
Microsoft, which is still investigating the breach, stated the Russian state-backed group is trying to use various types of sensitive information it discovered, including details shared with customers through email.
However, it did not specify what these details were or how extensive the breach is, though it confirmed that it has contacted affected customers. The exact source code accessed remains unclear.
Microsoft mentioned it has increased its security investments and noted the adversary increased its password spray attacks by up to 10 times in February compared to January’s “already high volume.”
“Midnight Blizzard’s ongoing attack shows a significant commitment of the threat actor’s resources, coordination, and focus,” it stated.
“They may be using the information obtained to identify areas to target and improve their ability to do so. This reflects a global threat landscape that has become increasingly dangerous, particularly regarding sophisticated nation-state attacks.”
The Microsoft breach reportedly occurred in November 2023, with Midnight Blizzard using a password spray attack to infiltrate a legacy, non-production test account that lacked multi-factor authentication (MFA).
In late January, Microsoft revealed that APT29 targeted additional organizations using a variety of entry methods, from stolen credentials to supply chain attacks.
Midnight Blizzard is linked to Russia’s Foreign Intelligence Service (SVR). Active since at least 2008, this group is one of the most advanced hacking collectives, having compromised high-profile targets like SolarWinds.