Russian Midnight Blizzard threat actor that exfiltrated Microsoft's corporate email accounts over six months ago also gained access to some customer accounts that corresponded with the company’s corporate email accounts, Microsoft said.
A spokesperson said the tech giant is sending notifications to customers who have communicated with compromised Microsoft corporate email accounts, “providing the customers the email correspondence that was accessed by this actor.”
The threat actor reportedly used password spraying to compromise a legacy account of Microsoft’s corporate network and then accessed some Microsoft corporate email accounts.
Midnight Blizzard mainly targets governments, diplomatic entities, NGOs, and IT service providers in the U.S. and Europe to collect intelligence via consistent and persistent espionage operations.
The nation-state-backed cyber spies’ initial access methods include leveraging stolen identity, supply chain attacks, and exploiting on-premises environments for lateral movement, the cloud, and service providers’ trust chain. They also deploy the ADFS malware known as FOGGYWEB and MAGICWEB.
The state-sponsored threat actor Midnight Blizzard (NOBELIUM) is aligned with the Russian Foreign Intelligence Service (SVR) and is also identified as BlueBravo, Cloaked Ursa, Cozy Bear, APT29, UNC2452, and The Dukes.
Recently, APT29 was linked to the SolarWinds supply chain attack and the breaches of Hewlett-Packard Enterprise and TeamViewer’s corporate network.
In 2023, state-backed Chinese threat actors Storm-0558 gained access to the mailboxes of over 500 individuals at 22 organizations, including several senior U.S. officials like Secretary of State of Commerce Gina Raimondo and Ambassador to China R. Nicholas Burns.