Microsoft Says Russia-Linked Group Hacked Employee Emails

Microsoft Corp. said a Russian-linked hacking group attacked its corporate systems, getting into a “small number” of email accounts, including those of senior leadership and employees who work in cybersecurity and legal.

The company said it’s acting immediately to fix older systems, which will probably cause some disruption.

The hacking group doesn’t appear to have accessed customers’ systems or Microsoft servers that run outward-facing products, the software giant said Friday in a blog post. Microsoft also has no evidence the group, named Midnight Blizzard, got into source code or artificial intelligence systems.

“We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes,” the company said. “This will likely cause some level of disruption.”

The group that Microsoft deemed responsible, also known as “Nobelium,” is a sophisticated nation-state hacking group that the US government has tied to Russia. The same group previously breached SolarWinds Corp., a US federal contractor, as part of a massive cyber-espionage effort against US federal agencies.

The company said hackers beginning in November used a “password spray” attack to infiltrate its systems. That technique, sometimes known as a “brute force attack,” typically involves outsiders quickly trying multiple passwords on specific user names in order to try breaching targeted corporate accounts.

In this case, in addition to the accessed accounts, the attackers also took emails and attached documents. Microsoft said it detected the hack on Jan. 12, adding that the company is still notifying employees whose emails were accessed.

Eric Goldstein, executive assistant director for cybersecurity at the US Cybersecurity and Infrastructure Security Agency, said government officials are “closely coordinating with Microsoft to gain additional insights into this incident and understand impacts so we can help protect other potential victims.”

Microsoft technology has frequently been the target of major hacking campaigns.

The US Cyber Safety Review Board, which reports to the Department of Homeland Security, is already assessing a 2023 intrusion against Microsoft Exchange Online that the company attributed to China-linked hackers. That breach enabled the hack of senior US officials’ email accounts and has prompted growing concerns about cloud computing security. Microsoft said in September it identified five different errors in how its systems that have “been corrected.”

In an interview with Bloomberg in 2023 following that breach, Jen Easterly, director of the agency that manages the board, suggested that Microsoft should “recapture the ethos” of what Microsoft co-founder Bill Gates called “trustworthy computing” in 2002, when he instructed employees to focus on security over adding new features.

“I absolutely positively think they have to focus on ensuring their products are both secure by default and secure by design, and we are going to continue to work with them to urge them to do that,” Easterly said of Microsoft.

In November, Microsoft said it was overhauling how it protects its software and systems after a series of high-profile hacks. Now the company said it must pick up the pace on changes, particularly to older systems and products.

“For Microsoft, this incident has highlighted the urgent need to move even faster,” the company said Friday.

(Updates with comments from cyber agency in the eighth paragraph.)

Top photo: Microsoft signage is displayed outside a Microsoft Technology Center in New York, U.S., on Wednesday, July 22, 2020. Microsoft Corp. is set to post quarterly results after the closing bell and the tech bellwether’s performance will likely uphold its standing as a darling of Wall Street. Photographer: Jeenah Moon/Bloomberg