Finding the Light

Microsoft Email Hack of Execs and Cybersecurity

, , , ,
Microsoft logo surrounded by encroaching red gradients.

A recent Form 8-K SEC filing by Microsoft states that some of their senior leadership and cybersecurity emails were compromised by a Russian hacker group as of November 2023. The Microsoft email hack was revealed in a mandatory SEC filing, which also notes that the hacker group’s access was terminated as of January 13, 2024, roughly two months later.

Impacts and Microsoft’s Response

While the current known impacts are limited to Microsoft employees, a blog post included as an attachment to the SEC filing notes Microsoft’s ongoing investigation into the incident. This investigation may reveal further compromise, such as employee or customer data breaches, or further system compromise. It could also reveal that Microsoft’s systems were safeguarded and no further access was gained by the attackers.

The response itself can be criticized for its lack of details and the quiet way the information came out in an SEC filing and blog post on a Friday evening. The gravity of any compromise to far-reaching enterprises like Microsoft may warrant more transparent disclosures. At the same time, it may be true that there are no further details, and that the quiet notice was to help avoid market issues for their investors, to whom the company is fungible. A small notice would also make some sense if there truly are no further important details to provide regarding the incident.

One of the greatest impacts for any company when they experience a successful cyberattack is a loss in customer and other stakeholder confidence and trust. Large enterprises are no stranger to this, and Microsoft has had its share. While other compromises might have been attributable to mistakes in their products, this breach, albeit potentially small, is attributable to negligence of simple standards, which is one of the worst ways for a compromise to happen. Worse, the standards were neglected by cybersecurity personnel and senior leadership, who should be setting the example.

How Did This Happen?

The Microsoft email hack was performed by a hacker group using a password spray attack to gain access to a test server. Password spraying is a type of brute force attack. A common form of brute force attack is to try different passwords over and over again on one or more accounts. Password spraying uses the same simple or common password over many accounts to try to gain access. In this way, the accounts are not locked by having too many failed access attempts.

Although they did not disclose as such in this case, it is clear that both a simple password was used on the test system that was accessed and that at least some of the affected emails and / or test system were not using two-factor authentication to safeguard accounts.

Who is Responsible?

The hacker group responsible goes by many names, depending on who you ask:

  • Midnight Blizzard
  • Cozy Bear
  • Nobelium
  • Advanced Persistent Threat 29 ( APT 29 )
Table of APT29 names from Mitre Att&ck.
A table of names from Mitre Att&ck, available at: https://attack.mitre.org/groups/G0016/.

These names can differ between government, security industry, and public reporting. The group has been operating since at least 2008.

Referenced then as Nobelium, the group was responsible for a cyber attack on Microsoft-affiliated government supplier Solar Winds in 2020, and has had ongoing high-tier operations before and since.

How are They Related to Russia?

The group is a proxy for Sluzhba vneshney razvedki Rossiyskoy Federatsii ( SVR RF, commonly called SVR ), the Russian Foreign Intelligence Service. SVR is the successor to the KGB, analogous to the the United States’ CIA and Britain’s SIS ( MI6 ). An interesting note about SVR in the cyber space is that their operations are normally subtle, while the operations of Russia’s Main Intelligence Directorate, GRU, and other Russian state-sponsored actors commonly leave traces of their work which make them easily identifiable. 

What to Do

There is currently no indication that customers are affected, however, here are some preventative steps in case of follow-on effects from this incident:

  1. Enable two-factor authentication for web versions of Outlook and other applications where possible.
  2. Use strong passwords for all applications.
    • Use uncommon or non-sensical, but easy to remember phrases – “The Moon Loves January!” , “phones.hybrid.musical”
    • Pseudo-random strings of text are also strong, but harder to remember. Replace letters in words with other characters.
    • Change default passwords for applications.
    • Avoid passwords that are too simple or common – password , abc123 , ilovejane , godolphins!
    • Do not leave written down passwords in publicly available places, even if they are hidden.
  3. Change passwords at least annually; semi-annually is better, quarterly is wonderful! ðŸ˜‰
  4. Monitor for further releases from Microsoft ( no guarantees… ).

Need Help?

Large companies are not the only targets. Their customers can provide valuable resources, such as money and throw-away accounts for further attacks or escalation of current ones. Finding the Light can help you navigate the steps to mitigating these threats.

Contact

Leave a Reply

Your email address will not be published. Required fields are marked *