Threat Awareness – Microsoft: Russians Believed to have Accessed Company Secrets and Source Code

In an announcement made Friday on its company blog, Microsoft shared an update regarding the nation-state attack that the Microsoft Security Team detected on January, 12. As was shared then, this was an attack by the Russian SVR state-sponsored group that Microsoft tracks as Midnight Blizzard (also known as APT29, NOBELIUM, CozyBear, and UNC452) which was focused on Microsoft’s corporate email systems. Microsoft has now shared that in recent weeks they have seen evidence that the threat group is using information initially exfiltrated from its corporate email system to gain, or attempt to gain, unauthorized access, which has included access to some of the company’s source code repositories and internal systems.

Noteworthy items from the update:

• It remains unclear what source code the attackers have accessed, or if they have gained any access to source code per Microsoft’s statements. Microsoft also stated, “we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”
• Microsoft described the incident as an example of “what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”
• Microsoft says “it is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”
• Microsoft’s investigations are ongoing and the company has increased security investments and enhanced the ability to defend and harden its environment against this advanced persistent threat (APT).

Background: Midnight Blizzard is well-known for its attack on the technology company SolarWinds in 2020, which gave it access into several large companies, including multiple departments in the U.S. government. More recently, CISA and other U.S. and international partners released a joint advisory on Russian SVR actors targeting cloud infrastructure and provided resources to detect, protect against, and mitigate such attacks. For more information regarding Microsoft’s recent incident update, visit Microsoft or Cyberscoop.