Microsoft confirms hackers breached their internal systems, stole source and some customer data

Microsoft disclosed on Friday, 8th of March that the hacker group known Midnight Blizzard, also known as  APT29, Cozy Bear, and others, successfully infiltrated its internal systems and source code repositories. The breach, initially detected in January 2024, was part of a series of sophisticated cyber espionage efforts by Midnight Blizzard, a group with a history of high-profile attacks including the SolarWinds supply chain incident in 2020.

The attack commenced in November 2023 with a password spray attack, a type of brute force attack leveraging common passwords across multiple accounts to avoid triggering security mechanisms. This method enabled unauthorized access to a non-production test tenant account lacking multi-factor authentication (MFA), subsequently granting the attackers a foothold to access and exfiltrate data from a limited number of corporate email accounts. These accounts belonged to senior leadership and employees in key departments such as cybersecurity and legal.

The attackers’ motives appear to center around using the stolen information to conduct further unauthorized activities, including accessing Microsoft's source code repositories and internal systems. However, the specific details and scale of the accessed source code remain undisclosed.

Microsoft has responded to these threats by notifying impacted individuals and increasing its security investments, notably observing a tenfold increase in password spray attacks by Midnight Blizzard in February 2024.