News

Microsoft Admits Source Code Accessed by Midnight Blizzard

A "Midnight Blizzard" attack group not only accessed Microsoft corporate e-mails late last year, but also accessed source code, Microsoft explained in an announcement.

This new information comes from a Microsoft Security Response Center (MSRC) post this week. Microsoft also provided similar information in an amended 8-K Form, dated March 8, with the U.S. Securities and Exchange Commission. Midnight Blizzard is the tag name for an advanced persistent threat group, thought to be Russia affiliated.

While accessing source code is a bad outcome, Microsoft suggested that it may not have affected its services to customers. Here's how the MSRC put it:

In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company's source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.

The update further explained that the attack group has attempted to use "secrets" (internal access codes) that were included in some of Microsoft's e-mails to its customers. Microsoft has been "reaching out to these customers" with "mitigating measures."

Microsoft initially had reported the exfiltration of e-mails by Midnight Blizzard back in January,  and had indicated back then that the attack likely started in late November 2023. Microsoft's initial report on this incident didn't mention that source code had been accessed by the attackers, which is new information.

Midnight Blizzard had used the "password spray" method to guess the passwords of Microsoft's nonproduction test accounts, and then escalated privileges from there. These password spray attacks didn't stop after Microsoft's disclosure in January, but instead increased "by as much as 10-fold in February."

Microsoft explained in its amended 8-K Form that the "threat actor's activities are ongoing" with regard to using e-mail information to access its source code, but suggested those activities hadn't substantially affected its customer operations.

"As of the date of this filing, the incident has not had a material impact on the Company's operations," the amended 8-K Form indicated. However, it added that Microsoft hasn't yet made a full determination.

The use of 8-K forms to report cyberattacks seems kind of new. Hewlett Packard Enterprise, also hit by Midnight Blizzard, used the same publication route, without issuing a public announcement.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • IBM Giving Orgs a Governance Lifeline in Agentic AI Era

    Nearly overnight, organizations are facing brand-new challenges caused by self-directed AI systems (a.k.a. agentic AI). Big Blue is extending them some help.

  • Microsoft Launches Integrated E-mail Security Ecosystem for Defender for Office 365

    Microsoft is expanding its e-mail security capabilities with the launch of a new Integrated Cloud Email Security (ICES) ecosystem for Microsoft Defender for Office 365.

  • Microsoft Joins Workday's AI Agent Partner Network

    Microsoft has become a key partner in Workday's newly launched AI Agent Partner Network, aligning with other industry leaders to integrate AI agents into enterprise workforce systems.

  • LinkedIn CEO Ryan Roslansky To Lead Microsoft's Productivity Initiatives

    In a strategic leadership realignment, Microsoft has appointed LinkedIn CEO Ryan Roslansky to oversee its consumer and small business productivity software division, encompassing Microsoft 365, Teams and AI-driven tools like Copilot.