January 20, 2024

Threat Level :           High

Threat:                         Microsoft Attacked by Nation State Actor Midnight Blizzard

SUMMARY

On January 12, 2024 the Microsoft Security team detected attacks on their corporate systems by a threat actor known as Midnight Blizzard, the Russian state-sponsored actor. This is the same Russian threat actor behind the SolarWinds breach.

Three months ago, the threat actor used a password spray account to compromise a non-production account and then used that access to gain access to a small number of internal email addresses. There is no evidence that customer environments were accessed, and Microsoft says that this “was not a result of a vulnerability in Microsoft products or services”. Initial investigate indicates that they were looking for information related to itself.

SEVERITY

5ironCyber considers this a High Alert event due to the actions of the threat actor behind the SolarWinds breach.

RECOMMENDATION

• Remain vigilant and cautious with processes, procedures and access to Microsoft products and administrator accounts.
• Monitor activity within Microsoft accounts for any anomalous behavior.

SOURCES

• https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
• https://www.npr.org/2024/01/20/1225835736/microsoft-russian-hackers-accessed-senior-leaders-emails