The group’s “attacks are characterized by a sustained, significant commitment of the threat actor’s resources, coordination and attention,” Microsoft wrote on its security blog. “It reflects what has more broadly become an unprecedented global threat landscape, particularly in terms of sophisticated nation-state attacks.”
Microsoft said it is reviewing emails that were stolen from executives and its security staff, and is warning users whose secrets may be revealed in the correspondence. He declined to say how many users he had alerted, or whether the hackers stole the source code or remained inside the company. Hewlett Packard Enterprise, which provides cloud services to large companies, also said last month that it had been hacked.
The campaign’s success to date has alarmed intelligence officials on several continents, who have privately warned of dozens more victims. They issued warnings to users of cloud services, including Microsoft’s Office programs and Outlook email, with detailed recommendations on how to harden their installations.
On Thursday, the US National Security Agency and the Department of Homeland Security recommended that consumers review their vendors’ security records, audit logs of activity on their accounts and limit consumer access.
Although Amazon and Alphabet’s Google are major sellers of cloud services, neither has reported an increase in attacks, nor has government agencies as sensitive clients as Microsoft. Both declined to comment. ((Amazon founder Jeff Bezos owns the Washington Post.)
Microsoft attributes the ongoing attacks to an SVR group it calls Midnight Blizzard and other security companies known as APT29 or Cozy Bear. This is the same group that hacked network software company SolarWinds in 2020. In this case, hackers inserted a backdoor into SolarWinds code that allowed them to gain access to 9 federal agencies and 100 other SolarWinds customers.
As part of this hacking campaign, intruders compromised Microsoft resellers and gained continuous access to users, then added or changed accounts in pursuit of email to steal. The SEC sued SolarWinds last year for failing to tell stockholders that its systems were subject to hacks.
Interviews with people responding to recent attacks show that resellers continue to be a target for SVR, particularly those who have continued access to customers through “service accounts” that are new to Microsoft users. Can be added or removed.
“One of the things we’re seeing is the continued abuse and exploitation of small companies that will set up email tenants for small organizations. This allows a threat actor to compromise the small company environment and all of these Tenant emails allow administrators to access what they’ve configured in the past, said Charles Carmichael, chief technology officer of Google’s Mandate Security business.
“Accessing these accounts gives threat actors initial access to the network, to launch further operations,” Britain’s National Cyber Security Center (NCSC) said in a bulletin last week. “SVR campaigns have also targeted inactive accounts of users who no longer work at an affected organization but whose accounts remain on the system.”
The NCSC said the intelligence services of the “Five Eyes” – Britain, Australia, Canada, New Zealand and the US – agreed that Russia’s SVR was responsible for the attack. It said the SVR expanded its targets from national agencies and think tanks to include aviation, education, law enforcement, local government and military targets.
Microsoft’s revised assessment has renewed questions about its ability to defend itself and vulnerable users. The interception is one of several violations by the SVR over the past few years. In a previous incident, hackers retrieved the source code for the company’s identity verification system. Microsoft was also used as a stepping stone by Chinese government hackers last year to steal the emails of State and Commerce Department officials.
Chris Krebs, chief intelligence officer at security company Sentinel One, said Russia and others are naturally targeting cloud providers as more large companies and governments rely on them.
“We haven’t hit a pain point for them that might cause them to rethink their strategy of going after these big cloud service companies like Microsoft. They have that firmly as their target priority. is on the list,” said Krebs, who previously led the Cybersecurity and Infrastructure Security Agency.
In the latest case, Microsoft’s initial disclosure said SVR hackers had broken into a dormant cloud test account. But it didn’t say how they got there in the emails to senior executives, and that question remains unanswered, leaving open the possibility that SVR discovered a new major flaw in Microsoft’s Azure cloud system. Who is
“It’s clear that authentication is a mess within Microsoft,” said Adam Meyers, senior vice president at CrowdStrike, which, like Sentinel One, competes with Microsoft in the security business.
Meyers said it’s dangerous that many government users rely on Microsoft not only for word processing and email, but also for authentication and security.
“If you put all your eggs in one basket, and that basket is Microsoft, that basket has a big egg-shaped hole in it,” Meyers said. “You need layered security.”