Seattle, Washington – Microsoft recently disclosed that the Kremlin-backed threat actor known as Midnight Blizzard, also known as APT29 or Cozy Bear, managed to gain unauthorized access to some of its source code repositories and internal systems following a cyberattack that surfaced in January 2024.
The tech giant stated that evidence showed Midnight Blizzard using information initially taken from its corporate email systems to gain access to confidential data. Although Microsoft found no evidence of compromise in its customer-facing systems, it continues to investigate the breach’s extent and impact.
The Russian state-sponsored threat actor is reportedly attempting to utilize various secrets it uncovered, including information shared between customers and Microsoft through email. The full scope of the breach and the specific source code accessed have not been disclosed.
Microsoft has ramped up its security investments and efforts following the breach, noting that Midnight Blizzard intensified its password spray attacks significantly in February. The ongoing attack demonstrates a high level of commitment, coordination, and focus from the threat actor, reflecting a complex and evolving global threat landscape.
Reportedly, the breach occurred in November 2023 when Midnight Blizzard successfully infiltrated a non-production test tenant account lacking multi-factor authentication. Microsoft has reached out to impacted customers directly but has not divulged the nature of the compromised data.
APT29, part of Russia’s Foreign Intelligence Service (SVR), has been active since at least 2008 and is known for targeting high-profile entities like SolarWinds. The group utilizes a diverse range of initial access methods, from stolen credentials to supply chain attacks, to penetrate organizations.
The breach underscores the persistent threat posed by sophisticated nation-state actors and highlights the importance of robust cybersecurity measures in safeguarding critical systems and data. Microsoft continues its investigation into the breach’s aftermath and remains vigilant against further cyber threats.