Russian-backed hackers gained access to Microsoft senior leadership’s corporate email accounts, the software giant disclosed in a regulatory filing Friday.
The cyber attack, which began in November, is believed to have been carried out by Russian state-sponsored cybercrime group Midnight Blizzard. The hackers gained access to a “very small percentage” of corporate email accounts, including those of senior leadership and employees in cybersecurity, legal and other functions, Microsoft said in the filing. Microsoft first detected the breach January 12 and has begun a system response, it said.
Microsoft’s investigation found the hackers appeared to be targeting email accounts for information related to Midnight Blizzard itself, and that it succeeded in taking some emails and attached documents.
The hacker, also known as Nobelium, first launched its operations in 2008. It has been suspected of being part of the Russian foreign intelligence service, and was involved in several high-profile attempted and successful hacks, including of the Pentagon in 2015 and the Democratic National Committee and U.S. think tanks during the 2016 election, according to Scottish cybersecurity firm Quorum Cyber. Midnight Blizzard has a known interest in secret geopolitical data that could benefit the Russian state and acts with the purpose of espionage, the group said.
Following its investigation, Microsoft found no evidence Midnight Blizzard had any access to customer accounts, production systems, source code or artificial intelligence systems, it disclosed. The attack was not the result of a vulnerability in Microsoft products or services, the company added.
Microsoft said the incident has “highlighted the urgent need to move even faster” in applying its current security standards to Microsoft-owned legacy systems and internal business processes. While it will likely cause “some level of disruption” to its business processes, Microsoft noted that it is a “necessary step” and the first of several to ensure tightened cybersecurity.
“Given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient,” Microsoft said in the filing.
Friday’s disclosure follows a new Securities and Exchange Commission rule requiring companies to disclose cybersecurity incidents, including cyberattacks, hacks and ransomware demands. The disclosures are designed to create transparency around cybersecurity risks that have become increasingly common.
Several U.S. companies suffered data breaches last year, including MGM Resorts and Clorox — both of which suffered millions of dollars in financial losses from the attacks. In 2022, 83% of organizations experienced more than one data breach with an average cost of $9.44 million, according to the Securities and Exchange Commission.
——————————————————–