Key Takeaways
The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that government agencies were affected by Midnight Blizzard’s attacks on Microsoft corporate email systems.
The security breach “presents a grave and unacceptable risk to agencies,” CISA stated in an emergency directive. The directive, dated April 2, was only disclosed on April 12th.
Microsoft initially revealed that its email systems had been breached by Midnight Blizzard in January. However, it didn’t disclose which organizations were affected.
Following several updates, CISA recently confirmed that the “Russian state-sponsored cyber actor,” had successfully infiltrated email correspondence between Microsoft and various civilian Federal agencies.
As a result of the attack, CISA has ordered all affected agencies to analyze the content of leaked emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.
CCN reached out to Microsoft for comments but the company had not responded at the time of writing.
Microsoft first publicly identified a nation-state cyber threat designated as NOBELIUM in 2020.
Although it didn’t immediately name Russia as the source of the attacks, the firm acknowledged that a shadowy entity had been targeting American organizations to further its geopolitical interests.
The company described a sophisticated hacking operation that had successfully breached the systems of world-class companies with strong security teams.
Since April 2023, Microsoft Threat Intelligence has shifted to a new threat actor naming scheme aligned around the theme of weather. As such, NOBELIUM was reclassified as Midnight Blizzard.
While the name may have changed, over the years, Midnight Blizzard has remained a persistent threat, using a range of techniques to conduct espionage and steal secrets.
Some of its most well-known campaigns include the TEARDROP malware and a supply chain attack that trojanized the SolarWinds Orion business software.
In November 2023, Midnight Blizzard used a password spray attack to compromise a legacy internal test account and gain a foothold. From there, hackers used the account’s permissions to access several Microsoft corporate email accounts, including members of its senior leadership and cybersecurity teams.
Microsoft’s investigation into the incident revealed that the attackers were initially targeting email accounts for information related to Midnight Blizzard itself.
Following the initial success of the strategy, Midnight Blizzard appears to have ramped up the operation, with the number of password sprays multiplying tenfold in February.
Password spraying is a cyberattack tactic that involves using a single password to try and break into multiple target accounts.
Often relying on old-school guesswork to compromise accounts, password spray attacks are pretty low-tech by Midnight Blizzard’s standards. The fact that the strategy paid off points to a general complacency about cybersecurity that many people can be guilty of.