The group’s “attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” Microsoft wrote on its security blog. “This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”
Microsoft said it was reviewing emails that had been stolen from executives and its security staff, and warning customers whose secrets might have been revealed in that correspondence. It declined to say how many customers it had alerted, or to rule out whether the hackers had stolen source code or remained inside the company. Hewlett-Packard Enterprise, which provides cloud services to major companies, also said last month that it had been hacked.
The campaign’s success has shocked intelligence officials on multiple continents, who’ve privately warned dozens of more victims. They’ve issued warnings to users of cloud services, including Microsoft’s Office programs and Outlook email, with detailed recommendations about how to harden their installations.
On Thursday, the U.S. National Security Agency and Department of Homeland Security recommended that customers evaluate the security record of their vendors, audit the logs of activity on their accounts and limit the authority of users.
Though Amazon and Alphabet’s Google are major sellers of cloud services, neither has announced increased attacks or has as many sensitive government agencies as clients as Microsoft. Both declined to comment. (Amazon founder Jeff Bezos owns The Washington Post.)
Microsoft attributed the ongoing attacks to an SVR group that it calls Midnight Blizzard and that other security companies refer to as APT29 or Cozy Bear. It is the same group that hacked the network software company SolarWinds in 2020. In that case, the hackers inserted a backdoor into SolarWinds code that allowed them to delve into nine federal agencies and 100 other SolarWinds customers.
As part of that hacking campaign, the intruders compromised Microsoft resellers with ongoing access to customers, then added or modified accounts in pursuit of email to steal. The SEC sued SolarWinds last year for not telling stockholders that their systems were subject to hacks.
Interviews with people who responded to recent attacks show that resellers remain a target for the SVR, especially those that have constant access to customers through “service accounts” that can add or remove new Microsoft users.
“One of the things we’re seeing is the continued abuse and exploitation of smaller companies that will set up email tenants for small organizations. That allows the threat actor to compromise the small company’s environment and get administrator access to all the tenant emails they have set up in the past.” said Charles Carmakal, chief technology officer at Google’s Mandiant security business.
“Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations,” the Britain’s National Cyber Security Centre (NCSC) said in a bulletin last week. “SVR campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organisation but whose accounts remain on the system.”
The NCSC said the intelligence services of the “Five Eyes” — Great Britain, Australia, Canada, New Zealand and the United States — agreed that Russia’s SVR was the perpetrator of the attack. It said the SVR had expanded its targets from national agencies and think tanks to include aviation, education, law enforcement, local government and military targets.
Microsoft’s revised assessment renewed questions about its ability to defend itself and sensitive customers. The intrusion is one of multiple breaches there by the SVR in the past few years. In a previous incident, the hackers retrieved source code about the company’s identity authentication system. Microsoft was also used by Chinese government hackers last year as a steppingstone to steal emails from State and Commerce department officials.
Chris Krebs, chief intelligence officer at security company SentinelOne, said Russia and others are naturally targeting the cloud providers as more big companies and governments come to depend on them.
“We have not hit a pain point for them that could cause them to rethink their strategy of going after these larger cloud service companies like Microsoft. They firmly have it in their targeting priority list,” said Krebs, who previously led the Cybersecurity and Infrastructure Security Agency.
In the most recent case, Microsoft’s initial disclosure said the SVR hackers had gotten into an inactive cloud test account. But it did not say how they had gotten from there into the emails of senior executives, and that question remains unanswered, keeping open the possibility that the SVR has discovered a new major flaw in Microsoft’s Azure cloud system.
“It’s clear that authentication is a mess within Microsoft,” said Adam Meyers, senior vice president at CrowdStrike, which like SentinelOne competes in the security business with Microsoft.
Meyers said it was dangerous that many government customers rely on Microsoft not only for word processing and email, but also authentication and security.
“If you put all of your eggs into one basket, and that basket is Microsoft, that basket has a big egg-shaped hole in it,” Meyers said. “You need layered security.”