Russian Hackers of SolarWinds Compromise Microsoft Corporate Email Accounts

Nobelium, the Russian nation-state hacking group behind the massive SolarWinds attack, has targeted Microsoft, compromising a small number of email accounts, including those belonging to senior staff.

The attack was detected on Jan. 12, with a response plan implemented to disrupt the activity and investigate what happened.

“Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium,” Microsoft wrote in a blog. “As part of our ongoing commitment to responsible transparency as recently affirmed in our secure future initiative (SFI), we are sharing this update.”

Targeting Specific Email Accounts

Beginning in late November, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a “very small percentage” of Microsoft corporate email accounts, including members of its senior leadership team and employees in its cybersecurity, legal and other functions, and exfiltrated some emails and attached documents.

“The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself,” Microsoft said. “We are in the process of notifying employees whose email was accessed. The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code or artificial intelligence (AI) systems. We will notify customers if any action is required.”

Arie Zilberstein, CEO and co-founder of Gem Security, a cloud detection and incident response company, said although conducted by a nation-state threat actor, this was not a sophisticated zero-day or supply chain attack.

Gem Security's Arie Zilberstein

“Surprisingly, the adversary managed to stay persistent in the cloud infrastructure for more than two months before being discovered,” he said. “We recommend that organizations implement continuous monitoring of their cloud logs so they can spot anomalous activities before attackers can access and exfiltrate sensitive data.”

No Organizations Excluded from Nation-State Attacks

Omri Weinberg, chief revenue officer and co-founder of DoControl, said it's increasingly clear tnation-state actors can and will go after private-sector companies if it creates value or an advantage for them.

“While Microsoft had announced intent to provide defenses against nation-state threat actors in their SFI announcement, this attack should remind all organizations that they are not excluded from potential nation-state level attacks," he said. "This is a reminder that many systems that seem less critical − like email, file sharing, etc. − often contain very sensitive information and can be active targets for threat actors. Many of these kinds of services are consumed via a SaaS model, which can make security and monitoring more challenging for organizations. This also underscores that organizations cannot rely on their SaaS providers to secure their data in SaaS, but need additional, third-party tools to really have full visibility and control who or what can access their sensitive data in these platforms.”

Callie Guenther, senior manager of cyber threat research at Critical Start, said this attack demonstrates Nobelium’s ongoing adaptation and evolution in tactics.

Critical Start's Callie Guenther

“While less sophisticated than some previous attacks, it still achieved penetration of a high-value target,” she said. “For organizations, this underscores the importance of not only securing production environments, but also ensuring that test and development environments are equally secure. Given Nobelium’s ties to Russian intelligence, their activities often reflect broader geopolitical motivations and objectives.”

Microsoft 'Lucky This Time'

Carol Volk, executive vice president of BullWall, said the apparent lack of two-factor authentication (2FA) and/or weak passwords by Microsoft’s senior staff allowed the Russian hacking group Midnight Blizzard to read their emails, “and that’s the point here, anyone and everyone is vulnerable.”

“It’s not just the zero-days that get you; it’s just that one hole in your defenses,” she said. “In this case, an old-fashioned password spray attack worked just fine to let attackers in to read management emails. Microsoft is lucky this time, as apparently the gang was searching emails to see what Microsoft was saying about them. They could have just as easily stolen or destroyed the data. Attackers can always find a way into a network, so regular air-gapped backups and a rapid response ransomware containment system should be part of the complete defensive stack.”