Microsoft on Friday revealed that the Kremlin-backed threat actor known as Midnight storm (also known as APT29 or Cozy Bear) managed to access some of its source code repositories and internal systems following a hack that came to light in January 2024.
“Over the past few weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” the tech giant said.
“This included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that customer-facing systems hosted by Microsoft have been compromised.”
Redmond, which is continuing to investigate the scope of the breach, said the Russian state-sponsored threat actor is attempting to exploit the different types of secrets found, including those shared between customers and Microsoft via email.
However, it did not reveal what these secrets were or the extent of the compromise, although it said it had contacted affected customers directly. It is unclear what source code was accessed.
Saying it has increased its investments in security, Microsoft also noted that the adversary ramped up its password spray attacks by up to 10 times in February, compared to the “already high volume” observed in January.
“The ongoing Midnight Blizzard attack is characterized by a sustained and significant commitment of the threat actor’s resources, coordination and concentration,” he said.
“It could use the information obtained to accumulate a picture of the areas to attack and improve its ability to do so. This reflects what has become an unprecedented global threat landscape more generally, especially in terms of sophisticated domestic attacks.”
The Microsoft breach is said to have occurred in November 2023, with Midnight Blizzard using a password spray attack to successfully infiltrate a legacy, non-production, test tenant account that lacked multi-factor authentication ( MFA) enabled.
The tech giant, in late January, revealed that APT29 had targeted other organizations by leveraging a diverse set of initial access methods ranging from stolen credentials to supply chain attacks.
Midnight Blizzard is considered part of Russia’s Foreign Intelligence Service (SVR). Active since at least 2008, the threat actor is one of the most prolific and sophisticated hacking groups, capable of compromising high-profile targets such as SolarWinds.