Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

After Microsoft Suffers Mega-Breach, What Can Customers Do?

Warnings: Products' Source Code at Risk, Customers' Secrets Spilled via Email
After Microsoft Suffers Mega-Breach, What Can Customers Do?
Russian state hackers penetrated Microsoft and there's not much users can do about it. (Image: Shutterstock)

What did Microsoft mean when it said that a nation-state hacking group has been "attempting to use secrets of different types" it stole from the technology giant's communications with its customers?

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

That's one question being asked by security experts, following Microsoft on Friday warning in a security alert as well as filing to the U.S. Securities and Exchange Commission that a hack attack it discovered in January, six weeks after it began, has turned out to be worse than it initially believed (see: Russian State Hackers Penetrated Microsoft Code Repositories).

One of the other big takeaways shared by Microsoft as its probe continues was that attackers gained "access to some of the company's source code repositories and internal systems."

"To be able to get to the source code, that is the crown jewels," said Alan Woodward, a visiting professor of computer science at the University of Surrey, who has testified before the British Parliament on supply chain security. "Then you have to think: what might they have changed? Also, this appears to be a nation-state attack, and they did a lot of very clever cleaning up after themselves as they went through," which will make rapidly probing the incident or reaching firm conclusions all the more difficult.

Other open questions: Why was Microsoft using email to trade secrets with customers, and what were these secrets - perhaps passwords or API keys? Did attackers alter source code, potentially inserting backdoors, and if so for which products? Is there anything potentially affected customers or users of Microsoft's products can do to protect themselves?

The company has yet to provide answers to any of those questions, except to say that it's reaching out to companies likely to be targeted after its email operational security fail (see: Microsoft: Russian Hackers Had Access to Executives' Emails).

Under Fire

As the developer of the world's most-used desktop operating system, among other software, Microsoft is a major target, and nation-state attack groups continue to come calling.

"The last year has been a hit parade of Russian and Chinese cyber actors penetrating some of the most sensitive parts of Microsoft networks. Some of the attacks were sophisticated, others routine and could have been addressed by Microsoft's own security guidance," said Chris Krebs, chief intelligence officer at SentinelOne, which competes with Microsoft's security business.

"Any way you cut it, the threat is very real and very serious, and the prevailing view across the national security community seems to be that Microsoft is hanging on by a thread," said Krebs, who served as the first director of the U.S. Cybersecurity and Infrastructure Security Agency. "These continued incidents pose a significant risk to companies that rely on Microsoft systems and are driving executives in government and industry alike to reevaluate their dependence on Microsoft systems."

Microsoft attributed the November 2023 attack to a Russian-backed hacking group it codenames Midnight Blizzard - formerly Nobelium - also known as APT29 and Cozy Bear. The Biden administration in 2021 connected the group to Russia's Foreign Intelligence Service, the SVR, and tied it to the supply-chain attack that inserted code into the widely used Orion IT monitoring software built by SolarWinds.

So far, Microsoft hasn't detailed exactly how attackers last November successfully used a password-spraying attack to gain access to "a legacy non-production test tenant account" and from there to access corporate emails and internal systems.

"It's clear that authentication is a mess within Microsoft," Adam Meyers, head of counter adversary operations at CrowdStrike, told The Washington Post. CrowdStrike also competes with Microsoft's security business.

Meyers told Information Security Media Group that Microsoft's Friday alert "creates more questions for customers and the industry than it answers," and also "introduces doubt that they have been able to evict Cozy Bear," meaning SVR hackers might still have access to its network.

Source Code Review

Woodward said his expectation is that Microsoft will review all potentially accessed source code for signs of tampering. This would be no small feat, given that software such as Windows 11 runs to 50 million lines of code and isn't static, with fresh commits happening constantly. Attackers might also be reviewing stolen code offline looking for previously undiscovered ways to exploit or subvert it.

Another major concern would be if attackers successfully inserted code into the Azure cloud computing platform or Active Directory service, he said, although even backdoors added to the likes of Word or Excel could still be extremely damaging.

CrowdStrike's Meyers said a potential issue isn't just the integrity of code bases but also the large language models used by Azure and other products. "In a year where 42% of the world's population is electing new leadership, I am concerned with how the potential access to Microsoft's sensitive data and AI models may be misused by hostile nation states," he said.

What Can Users Do?

Pending Microsoft releasing more details or guidance, what can its users can do to better protect themselves, especially if source code has gotten altered or gone missing?

"My personal reaction is: there's nothing that users can really do; we can't stop using Microsoft's software," Woodward said. "You're totally dependent on Microsoft cleaning up the problem, and they're up against some nation states that are fairly determined."

One welcome move as a result of the breach, he said, would be for Microsoft to make the use of multifactor authentication mandatory, not least to just block outright many more types of attacks, or the impact of many types of intrusions. "It's interesting - my university now uses multifactor authentication everywhere," he said. "Some people say it's annoying, it asks you to reauthenticate every 14 days, but it's saved our bacon, and multiple times."

With Microsoft not yet stating which products' source code might be at risk, knowing where to potentially focus more specific defenses remains challenging, said Brian Honan, head of Dublin-based cybersecurity firm BH Consulting.

In general, he too recommends organizations review their use of multi-factor authentication, as well as ensure they're encrypting data at rest and consider employing additional, third-party security tools to create a more layered defense. "Organizations should also ensure they have appropriate levels of security logging and monitoring of their logs in place," especially to help investigate incidents that come to light later - potentially as a result of these intrusions at Microsoft, he said (see: CISA Launches Logging Tool For Resource-Poor Organizations).

One facet of the Microsoft intrusion that all organizations should learn from is to guard against using emails to share any type of secret, he said.

"Email is inherently not a secure medium to transfer secure and sensitive information and organizations should review what data they are sharing via email," said Honan, who founded Ireland's first computer emergency response team, IRISS-CERT. "Based on that review organizations should implement additional controls regarding email security, such as end-to-end encryption or data loss prevention tools, to detect and prevent sensitive information leaking via email."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.