In a blog post on Friday, Microsoft announced that it had detected a breach in November which led to the theft of emails from executives and employees in its legal and cybersecurity departments. They identified the culprits as hackers working for the Russian government and have begun notifying employees whose communications were intercepted.
The attack was also disclosed in a filing with the Securities and Exchange Commission (SEC). Last year, the SEC began requiring public companies to disclose such information within four days of determining that the breach is substantial, so that investors would be informed of a potential impact on relationships with customers or reputation.
The filing stated that Microsoft ‘has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.’
An insider stated that Microsoft had only filed with the SEC to comply with the spirit of the regulation, and not necessarily because they were convinced of the material impact.
Microsoft assured that the breach was not because of any flaw in its software. It began with a ‘password spraying’ where a hacker tries different common passwords to log in as many users in rapid succession in the hope that one combination is successful.
The password worked on what Microsoft described as an ‘old test account’. The hacker then used privileges attached to the account to obtain access to multiple streams of email. The company said that the hackers scoured through the email accounts in an attempt to discover what Microsoft knew about them.
‘To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,’ Microsoft said in a statement.
The same hacking group was responsible for the breach of the Solar Winds network management software disclosed in 2020. They had inserted a backdoor into the code to allow them access into nine federal agencies and 100 other customers.
As part of that attack, the hackers compromised Microsoft resellers with current access to customers, then modified those accounts of customers to steal their emails. Solar Winds was sued by SEC last year for its failure to inform stockholders that its system was liable to hacks.
Security experts and government officials have consistently called out assailable authentication requirements, test accounts, and unrestrained ease in creating accounts as major loopholes in Microsoft service protections. Similar loopholes were used in the new attack.
Microsoft’s disclosure comes during the ongoing investigation by the Department of Homeland Security’s cyber safety review board into lapses in Microsoft security that allowed Chinese hackers to steal emails from top U.S. diplomats ahead of a summit between China and the U.S. last year.
Those hackers succeeded in stealing Microsoft’s digital keys for validating new organizational customers. Microsoft has reiterated its efforts in increasing security.
By Marvellous Iwendi
Source: The Washington Post