Microsoft and HPE Fall Victim to Sophisticated Cyber Attacks by Russian Group ‘Midnight Blizzard’
Microsoft recently disclosed that it fell prey to a sophisticated cyber assault orchestrated by the Russian-linked threat group known as ‘Midnight Blizzard,’ also recognized under the aliases NOBELIUM and Cozy Bear. The group, previously pinpointed by the NSA and FBI as operating under the aegis of Russia’s Foreign Intelligence Service (SVR), employed craftily designed rogue OAuth applications to infiltrate Microsoft’s corporate email systems, resulting in the unauthorized access and theft of emails and attachments.
The attack, which was first detected on January 12, also impacted Hewlett Packard Enterprise (HPE), as revealed in a Securities Exchange Commission (SEC) notice dated January 19. HPE reported a breach in its cloud-based email environment in December 2023, attributing the intrusion to Midnight Blizzard.
Microsoft detailed the attack’s mechanics in a blog post, stating that the adversaries initially penetrated through a “legacy, non-production test tenant” which was not fortified by Multi-Factor Authentication (MFA), using a password-spray attack. This breach enabled the attackers to compromise an OAuth application within Microsoft’s legacy test environment, granting them elevated access privileges. Subsequently, Midnight Blizzard exploited this access to create additional malicious OAuth applications and a user account with consent-granting capabilities within Microsoft’s corporate systems.
The company further explained that the threat actors leveraged the legacy test OAuth application to obtain the ‘Office 365 Exchange Online full_access_as_app’ role, allowing them unfettered access to email mailboxes. Microsoft’s initial assessment, shared on January 19, revealed that the attackers managed to access a very small fraction of Microsoft email accounts, including those of senior leadership and staff across cybersecurity, legal, and other departments, over a span of approximately four weeks. The investigation suggests that the initial target of the attack was to gather information concerning Midnight Blizzard itself.
A unique aspect of the intrusion was Midnight Blizzard’s use of residential proxy networks, channeling the attack through IP addresses belonging to compromised users. The breach at HPE bore similarities, affecting personnel across cybersecurity, go-to-market strategies, business segments, and other departments. HPE linked this recent breach to prior unauthorized activities by Midnight Blizzard, dating back to May 2023, involving the access and exfiltration of a limited number of SharePoint files.