Microsoft Confirms Russian Hackers Stole Source Code


Microsoft announced on Friday that Midnight Blizzard, a Kremlin-backed threat actor also known as APT29 or Cozy Bear, successfully breached some of its source code repositories and internal systems during a hacking incident that came to light in January 2024.

Recently, evidence surfaced indicating that Midnight Blizzard utilized information initially extracted from Microsoft’s corporate email systems to gain unauthorized access or attempt to do so. This unauthorized access extended to certain source code repositories and internal systems, although there is no evidence suggesting compromise of Microsoft-hosted customer-facing systems.

Redmond is actively investigating the breach’s extent and revealed that the Russian state-sponsored threat actor is leveraging various secrets, including those shared between customers and Microsoft through email communication. The nature and scale of these compromised secrets were not disclosed, but Microsoft has directly contacted affected customers. The specifics of which source code was accessed also remain undisclosed.

Microsoft emphasized its increased security investments but noted that Midnight Blizzard intensified its password spray attacks in February, reaching up to 10 times the already substantial volume observed in January.

Describing the ongoing attack, Microsoft stated, “Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus.” The company suspects the adversary may use the obtained information to identify vulnerable areas and enhance its ability to launch further attacks, highlighting the unprecedented global threat landscape posed by sophisticated nation-state attacks.

The breach, which occurred in November 2023, involved Midnight Blizzard employing a password spray attack to infiltrate a legacy, non-production test tenant account lacking multi-factor authentication (MFA). Microsoft had previously disclosed APT29 targeting other organizations using various initial access methods, from stolen credentials to supply chain attacks.

Midnight Blizzard, associated with Russia’s Foreign Intelligence Service (SVR), has been active since at least 2008, consistently targeting high-profile entities such as SolarWinds.

In response to the breach, Tenable CEO Amit Yoran remarked, “Microsoft’s breach by Midnight Blizzard is a strategic blow.” Yoran criticized Microsoft’s transparency, stating, “Microsoft’s ubiquity requires a much higher level of responsibility and transparency than what they’ve consistently shown. Even now, they’re not sharing the full truth – for instance, we don’t yet know which source code has been compromised. These breaches aren’t isolated from each other, and Microsoft’s shady security practices and misleading statements purposely obfuscate the whole truth.”