Russia-Sponsored Cyberattackers Infiltrate Microsoft's Code Base

The Russian state-sponsored advanced persistent threat (APT) group known as Midnight Blizzard has nabbed Microsoft source code after accessing internal repositories and systems, as part of an ongoing series of attacks by a very sophisticated adversary.

The Redmond giant noted today that the previously announced cyber campaign by Midnight Blizzard, which commenced in January, has evolved. Assailants are continually probing its environment in an attempt to use secrets of different types that it originally exfiltrated from internal emails. It's a "sustained, significant commitment" on the part of the group, according to Microsoft.

"Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access [deeper into our environment]," according to Microsoft's blog post on the attack. "This has included access to some of the company’s source code repositories and internal systems."

The group (aka APT29, Cozy Bear, Nobelium, and UNC2452) may also be laying the groundwork for future efforts, according to the post, "using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so."

Further, Microsoft said that the attackers are turning up the volume on password-spraying attempts, observing a tenfold increase in February against its accounts.

Ariel Parnes, chief operating officer and co-founder at Mitiga, noted in an emailed statement that the source-code heist could lead to a flurry of zero-day vulnerability exploitation.

"For advanced nation-state cyber groups, access to a company's source code is akin to finding the master key to its digital kingdom, opening up avenues for finding new zero-day vulnerabilities: undiscovered security flaws that can be exploited before they're known to the software creators or the public," he warned, adding that the Microsoft breach is clearly much "more severe than initially understood, underscoring the critical nature of source code security in the digital age."

The good news is that there's so far no evidence that Midnight Blizzard has compromised Microsoft-hosted customer-facing systems; however, in some instances, secrets were shared between customers and Microsoft in email.

"As we discover them in our exfiltrated email," according to the post, "we have been and are reaching out to these customers to assist them in taking mitigating measures."