Microsoft revealed on Thursday that a notorious Russia-based hacking group gained access to email accounts belonging to a “small number” of executives and senior leadership team members in a recent cyberattack campaign.
According to the tech giant, the attacks were part of a highly-targeted operation likely aimed at gathering intelligence and insights into Microsoft’s own cyber threat detection capabilities.
Timeline of the Attack
Microsoft said it detected unusual activity in January which, upon investigation, pointed to credential hopping techniques leveraging password spray attacks across many accounts.
“The attacks included successful account takeovers, enabling the actor to access and download specific employee emails between December 2022 and January 2023,” the company said in a statement.
“Our investigation concluded that sensitive emails were accessed specifically targeting our cyber threat detection teams and those working on sensitive security topics including defending against Solorigate and similar sophisticated attacks,” the statement added.
The hacking attempts are said to have begun as early as September 2022 before intensifying through the holiday period last month.
Besides its own employees, Microsoft said some of its customers may also have been caught up in the wider phishing campaign. The company has started notifying impacted customers.
Attribution to Russian Threat Actor
Attribution is difficult in cyberattacks, but Microsoft said the tactics, techniques, and procedures bear resemblance to those adopted by a threat cluster alternatively known as Nobelium, Solorigate, Iron Ritual, and UNC2452.
The U.S. government and multiple private cybersecurity firms have previously linked this advanced persistent threat group to Russia’s foreign intelligence service SVR.
Nobelium, in particular, orchestrated the devastating SolarWinds supply chain attack in 2020 that compromised nine federal agencies and approximately 100 private sector companies globally.
If confirmed to be Nobelium, the latest cyberespionage attempt could signal the hacking group’s return after maintaining a relatively low profile in 2022 and early 2023.
“While many nation-state actors aggressively target the public sector, Nobelium’s efforts and interest almost always align with Russia’s geopolitical priorities,” said Tom Burt, Microsoft’s vice president for customer security.
Insights into Attack Motives
The precision nature of the phishing operation has led analysts to speculate the intrusions were intended to dig up insights to aid future hacking missions against high-value targets rather than focused on stealing sensitive information.
“It seems they breached Microsoft’s network to find out what Microsoft knows about them,” said David Masson, director of enterprise security at cyber firm Darktrace.
By targeting employees involved in detecting and responding to cyberattacks, the hackers potentially gained visibility and context around what threats Microsoft is already aware of and how it goes about identifying malicious network activity.
“Armed with this knowledge, the hackers can attempt to ensure they fly under the radar in any future attack,” Masson added.
Ongoing Monitoring Efforts
Microsoft said it has been working closely with customers targeted through these attacks to ensure their systems remain protected.
So far, the company has found no evidence of further access or compromise. It has also taken steps to notify and engage government authorities on the matter.
“Microsoft continues to recommend customers enable multi-factor authentication and apply additional security best practices to protect against cyberattacks,” the company said.
| Security Measures for Organizations |
|---|
| Enable multi-factor authentication |
| Protect user credentials via password managers or passphrases over passwords |
| Limit admin/privileged role assignments |
| Apply principle of least-privilege |
| Install latest security updates promptly |
| Employ defense-in-depth with layered controls |
| Maintain offline backups |
| Provide cybersecurity awareness training |
While the scope of the attack appears limited, the fact that hackers breached and persisted inside Microsoft’s corporate networks is concerning.
As a leading cybersecurity vendor itself, the company is generally viewed as a heavily defended environment. Its security defenses are expected to be far more sophisticated compared to many other corporations.
Increased Nation-State Cyber Threats
The incident adds to recent signals that destructive cyberattacks from advanced hacking groups are continuing to grow in scale and sophistication. These attackers are also getting more brazen in their tactics.
Director of National Intelligence Avril Haines testified last week that the cyber threat from nation states has entered a new aggressive phase unseen over the prior decade.
“We expect the threat environment facing federal and private sector networks to become more challenging in 2023 and beyond as state and non-state actors become more sophisticated, gain access to more disruptive capabilities, and target public and private sector networks at scale worldwide,” Haines told the Senate Intelligence Committee.
With geopolitical tensions simmering, organizations should brace themselves for even more cyberattacks sponsored by foreign governments in the coming year.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
