Microsoft disclosed a significant security breach, revealing that state-backed Russian hackers infiltrated the company’s corporate email system, gaining unauthorized access to accounts belonging to members of the leadership team, as well as employees on its cybersecurity and legal teams.
The intrusion, initiated in late November, went undetected until January 12, according to a blog post by Microsoft. The company identified the same highly skilled Russian hacking team responsible for the SolarWinds breach as the perpetrators.
Microsoft acknowledged that a “very small percentage” of its corporate accounts were accessed, leading to the theft of some emails and attached documents. The affected accounts included those of key personnel, though specific details about the impacted leadership members were not immediately disclosed.
In a regulatory filing, Microsoft stated that it successfully removed the hackers’ access from the compromised accounts around January 13. The company is currently in the process of notifying employees whose email accounts were accessed during the breach. Microsoft’s ongoing investigation suggests that the hackers initially targeted email accounts for information related to the company’s activities.
The disclosure comes a month after a new U.S. Securities and Exchange Commission rule came into effect, requiring publicly traded companies to promptly disclose breaches that could negatively impact their business within four days, unless a national-security waiver is obtained.
In its regulatory filing, Microsoft assured that, as of the filing date, the incident has not had a material impact on its operations. However, the company has not determined whether the breach is reasonably likely to materially impact its finances.
Microsoft, headquartered in Redmond, Washington, revealed that the Russian hackers gained access by compromising credentials on a “legacy” test account, indicating potential vulnerabilities in outdated code. The attackers employed a brute-force attack technique known as “password spraying,” where a single common password is used to attempt to log into multiple accounts.
The hacking unit responsible for the breach is identified by Microsoft as Midnight Blizzard, previously known as Nobelium. Cybersecurity firm Mandiant, owned by Google, refers to the group as Cozy Bear.
Microsoft emphasized that the attack was not the result of a vulnerability in its products or services. As of now, there is no evidence that the hackers had any access to customer environments, production systems, source code, or AI systems. The company pledged to notify customers if any action is required.