Microsoft Admits Source Code Accessed by Midnight Blizzard

A "Midnight Blizzard" attack group not only accessed Microsoft corporate e-mails late last year, but also accessed source code, Microsoft explained in an announcement.

This new information comes from a Microsoft Security Response Center (MSRC) post this week. Microsoft also provided similar information in an amended 8-K Form, dated March 8, with the U.S. Securities and Exchange Commission. Midnight Blizzard is the tag name for an advanced persistent threat group, thought to be Russia affiliated.

While accessing source code is a bad outcome, Microsoft suggested that it may not have affected its services to customers. Here's how the MSRC put it:

In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.

The update further explained that the attack group has attempted to use "secrets" (internal access codes) that were included in some of Microsoft's e-mails to its customers. Microsoft has been "reaching out to these customers" with "mitigating measures."

Microsoft initially had reported the exfiltration of e-mails by Midnight Blizzard back in January,  and had indicated back then that the attack likely started in late November 2023. Microsoft's initial report on this incident didn't mention that source code had been accessed by the attackers, which is new information.

Midnight Blizzard had used the "password spray" method to guess the passwords of Microsoft's nonproduction test accounts, and then escalated privileges from there. These password spray attacks didn't stop after Microsoft's disclosure in January, but instead increased "by as much as 10-fold in February."

Microsoft explained in its amended 8-K Form that the "threat actor's activities are ongoing" with regard to using e-mail information to access its source code, but suggested those activities hadn't substantially affected its customer operations.

"As of the date of this filing, the incident has not had a material impact on the Company's operations," the amended 8-K Form indicated. However, it added that Microsoft hasn't yet made a full determination.

The use of 8-K forms to report cyberattacks seems kind of new. Hewlett Packard Enterprise, also hit by Midnight Blizzard, used the same publication route, without issuing a public announcement.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.