Microsoft announced on Friday that the Kremlin-backed threat actor known as Midnight Blizzard (aka APT29 or Cozy Bear) gained access to certain of its source code repositories and internal systems as a result of a compromise discovered in January 2024.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” the company stated in a statement.

“This includes access to some of the company’s source code repositories and internal systems. “We have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”

Could Bitcoin’s recent surge concern the Fed?

Redmond, which is still investigating the scope of the breach, said the Russian state-sponsored threat actor is seeking to exploit the various sorts of information it discovered, including those exchanged between customers and Microsoft via email.

It did not, however, reveal what these secrets were or the scope of the breach, while stating that it had personally contacted affected consumers. It’s unclear whose source code was accessed.

Microsoft said that it has upped its security efforts and added that the adversary escalated its password spray assaults by up to tenfold in February, compared to the “already large volume” recorded in January.

“Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” according to the statement.

“It might be utilizing the data it has gathered to build a picture of regions to attack and improve its ability to do so. This reflects an increasingly unprecedented global threat scenario, particularly in terms of sophisticated nation-state assaults.

The Microsoft breach is claimed to have occurred in November 2023, when Midnight Blizzard used a password spray assault to successfully compromise a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) activated.

QEMU Emulator Used as Tunneling Tool to Breach Company Network

In late January, the IT giant announced that APT29 had targeted other firms using a variety of initial access tactics ranging from stolen credentials to supply chain assaults.

Midnight Blizzard is considered a branch of Russia’s Foreign Intelligence Service (SVR). The threat actor has been active since at least 2008, and it is one of the most prolific and sophisticated hacking outfits, having compromised high-profile targets like SolarWinds.

source