Microsoft is revealing today that it has discovered a nation-state attack on its corporate systems from the same Russian state-sponsored group of hackers that were responsible for the sophisticated SolarWinds attack. Microsoft says the hackers, known as Nobelium, were able to access email accounts of some members of its senior leadership team late last year.
“Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” says the Microsoft Security Response Center in a blog post filed late on Friday.
Microsoft says the group was “initially targeting email accounts” for information about themselves, but it’s not clear what other emails and documents have been stolen in the process. “The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” says Microsoft.
The attack took place just days after Microsoft announced its plan to overhaul its software security following major Azure cloud attacks. While Microsoft customers don’t appear to have been impacted in this new incident and this wasn’t the result of a Microsoft vulnerability, this is still the latest in a line of cybersecurity incidents for Microsoft. It found itself at the center of the SolarWinds attack nearly three years ago, then 30,000 organizations’ email servers were hacked in 2021 due to a Microsoft Exchange Server flaw, and Chinese hackers breached US government emails via a Microsoft cloud exploit last year.
Microsoft is now changing the way it designs, builds, tests, and operates its software and services. It’s the biggest change to its security approach since the company announced its Security Development Lifecycle (SDL) in 2004 after huge Windows XP flaws knocked PCs offline.