Microsoft Corp. said Friday a Russian hacking group illegally gained access to some of its top executives’ email accounts.
In late November, the group accessed “a legacy non-production test tenant account and [gained] a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents,” Microsoft’s Security Response Center wrote in a blog post.
Microsoft’s senior leadership team, which includes Chief Financial Officer Amy Hood and President Brad Smith, routinely meets with Chief Executive Satya Nadella.
The company reported that there were no signs Nobelium had obtained customer data, production systems or proprietary source code.
A Microsoft spokesperson provided this comment late Friday: “Our security team recently detected an attack on our corporate systems attributed to the Russian state-sponsored actor Midnight Blizzard. We immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. More information is available in our blog.”
Nobelium, also known as APT29 or Cozy Bear, is a shadowy hacking group that attempted to crack the systems of the U.S. Defense Department and did breach the Democratic National Committee’s systems in 2016.
Netskope Threat Labs, which tracks Nobelium, said the hacking group uses a variety of techniques to compromise accounts, including compromised Azure AD accounts to collect victim emails. “This hack underscores the importance of securing corporate email accounts, even those in non-production and test environments,” a Netskope spokesperson said. “Even if the email account isn’t regularly used or doesn’t contain anything sensitive, it can still be used to launch additional attacks.”
Microsoft’s disclosure comes amid new U.S. requirements to report cybersecurity incidents.