Microsoft Says Test Account Gave Hackers Keys to the KingdomPostmortem: Multiple Customers Also Targeted by Russian Nation-State Attackers
A "consistent and persistent" nation-state hacking group run by Russian intelligence breached Microsoft's cloud-based email by using a test account to authorize a custom-built malicious application.
So said Microsoft on Thursday in a postmortem into a late November attack targeting Microsoft 365, the company's ubiquitous suite of productivity and cloud storage apps. Microsoft recently discovered the attack, and first publicly disclosed it on Jan. 19 (see: Microsoft: Russian Hackers Had Access to Executives' Emails).
Microsoft reported that attackers had built their own applications for Office 365 OAuth - referring to the token-based, delegated authorization framework - and had granted the applications complete access to Microsoft's own Outlook estate, obtaining access to the inboxes assigned to various executives, including those in cybersecurity and legal functions, and stealing copies of their emails and attachments.
Microsoft attributed the attack to a group it tracks as Midnight Blizzard - formerly Nobelium and also known as APT29 and Cozy Bear. The White House in 2021 tied the group to Russia's Foreign Intelligence Service, or SVR, after its hackers had injected a Trojan into the updater for the widely used SolarWinds Orion software.
The SolarWinds campaign may have begun in September 2019 and wasn't detected until December 2020, demonstrating how SVR intelligence-gathering cyberespionage operations are designed to persist for lengthy periods of time.
Microsoft said in this case, Midnight Blizzard appeared to have access to its Outlook inboxes for about six weeks.
As part of ongoing digital forensic analysis, including reviewing Exchange Web Services logs, the company's security team has found that the same group of attackers used identical tactics to target the inboxes of an unspecified number of its customers. "We have begun notifying these targeted organizations," Microsoft said.
The company didn't state if any existing defenses, such as having multifactor authentication enabled for the accounts, might have helped blunt these types of attacks, or if the attackers had simply been able to bypass MFA.
"This investigation is still ongoing, and we will continue to provide details as appropriate," Microsoft said.
One targeted Microsoft customer appears to be Hewlett Packard Enterprise. On Wednesday, HPE told investors it "was notified that a suspected nation-state actor, believed to be the threat actor Midnight Blizzard, the state-sponsored actor also known as Cozy Bear, had gained unauthorized access to HPE's cloud-based email environment." HPE said the attacks appear to connect with the group that in May 2023 exfiltrated multiple SharePoint files, which HPE said it was notified about in June 2023.
How the Attack Proceeded
As described by Microsoft, here's how the successful compromise of its "legacy, non-production test tenant account" proceeded:
- Password spraying: Hackers attempted to log into accounts using a dictionary attack, avoiding detection by limiting the rate at which they attempted to log in and by using residential proxies to disguise and rapidly change the IP addresses from which such attempts originated, and "compromised a legacy, non-production test tenant account that did not have multifactor authentication enabled."
- Creating malicious OAuth applications: Using that account, Microsoft said the attacker found and compromised "a legacy test OAuth application that had elevated access to the Microsoft corporate environment," after which they "created additional malicious OAuth applications," as well as "a new user account to grant consent in the Microsoft corporate environment to the actor-controlled malicious OAuth applications."
- Full access: The attacker set their OAuth applications to give them full access - via the
full_access_as_approle - to multiple Office 365 Exchange Online mailboxes.
- Harvesting emails: "Midnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts," again by using the distributed residential proxy infrastructure to access "the compromised tenant" and then Exchange Online.
Microsoft Promises to Move Quickly
Microsoft might be an intelligence-gathering target of the SVR on multiple fronts. "The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself," the company said in its initial breach disclosure. Of course, that might have been secondary to gaining access to Microsoft's customers' inboxes.
The tech giant has also been a prominent supporter of Ukraine as it faces down Russia's war of conquest, and it helped Kyiv to maintain government and public services by moving many of its operations to Microsoft-hosted cloud services.
In the wake of this latest known SVR attack, the company has promised to more quickly overhaul its defenses. "We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes," it said in its initial breach notification.
In the Thursday update, the company said some better defenses are already now in place to guard against a repeat of this type of attack. "If the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks," it said.