Microsoft warns that Russia has stepped up its hacking campaign

Microsoft has warned that Russian government hackers blamed for hacking the emails of its executives last month have taken advantage of what they stole to try to break into customers’ computer systems.

Microsoft said so in a values ​​statement and blog post Hackers associated with Russia’s SVR foreign intelligence service also intensified their attacks against Microsoft. Looking for new areas to engage in.

“Group attacks are characterized by a sustained and significant commitment of the threat actor’s resources, coordination, and focus,” Microsoft wrote on its security blog. “What does it represent This has evolved more broadly into an unprecedented global threat scenarioParticularly in the context of sophisticated nation-state attacks.

Microsoft said it was reviewing emails that were stolen from officials and its security staff, and warning customers whose secrets could have been exposed in that correspondence. He would not say how many customers he had alerted, nor deny that the hackers had stolen source code or remained within the company. Hewlett-Packard Enterprise, which provides cloud services to big companies, also said last month that it had been hacked.

The success of the operation has stunned intelligence services on several continents, which have privately warned of dozens more victims. They have issued a warning to users of cloud services, including Microsoft’s Office programs and Outlook email, with detailed recommendations about hardening their installations.

On Thursday, the US National Security Agency and the Department of Homeland Security recommended customers evaluate their vendors’ security records, audit their account activity logs and limit user authorization.

Although Amazon and Alphabet’s Google are big sellers of cloud services, neither have announced an increase in attacks nor are customers of sensitive government agencies like Microsoft. Both declined to comment. (Amazon founder Jeff Bezos owns The Washington Post.)

Microsoft blamed ongoing attacks An SVR group called Midnight Blizzard And which other security companies refer to as APT29 or Cozy Bear. This is the same group that hacked networking software company SolarWinds in 2020. In that case, hackers inserted a backdoor in SolarWinds code that allowed them to break into nine federal agencies and 100 other SolarWinds customers.

As part of that hacking campaign, Intruders compromised Microsoft resellers with continued access to customers, then added or modified accounts looking for emails to steal., The SEC sued SolarWinds last year for failing to notify its shareholders that its systems were being hacked.

Interviews with people who responded to recent attacks suggest that resellers remain targets for SVRs, particularly those who have ongoing access to customers through “service accounts” that add or remove new Microsoft users. Can.

“One of the things we are seeing is the continued abuse and exploitation of smaller companies that will set up email tenants for smaller organizations. This allows a threat to compromise a small business environment and gain administrator access to all tenant emails established in the past,” said Charles Carmakal, chief technology officer of Google’s Mandiant Security business.

“Gaining access to these accounts gives threat actors privileged initial access to the network so they can launch subsequent operations,” the British National Cyber ​​Security Center (NCSC) said in a bulletin last week. “SVR campaigns have also targeted inactive accounts of users who no longer work at a victim organization, but whose accounts remain in the system.”

NCSC notes that The intelligence services of the “Five Eyes” – Great Britain, Australia, Canada, New Zealand and the United States – agreed that the Russian SVR was the author of the attack. The SVR had expanded its objectives from national agencies and think tanks to aviation, education, law enforcement, local administration, and military purposes.

Microsoft’s revised valuation has again raised questions about its ability to protect itself and its sensitive customers. This intrusion is one of several that the SVR has faced in recent years. In a previous incident, hackers recovered the source code of the company’s identity authentication system. Last year, Chinese government hackers also used Microsoft as a springboard to steal emails from officials at the State and Commerce departments.

Chris Krebs, head of intelligence at security firm SentinelOne, said Russia and other countries are naturally targeting cloud providers as more large companies and governments trust them.

“We have not reached any tipping point for them that would cause them to rethink their strategy of going after big cloud services companies like Microsoft. “They have put this firmly on their priority list,” said Krebs, who previously headed the Cybersecurity and Infrastructure Security Agency.

In the most recent case, Microsoft’s initial disclosure said that SVR hackers had broken into a dormant test account in the cloud. But they did not explain how the top executives’ emails got there, and that question remains unanswered, leaving open the possibility that the SVR may have discovered a major new flaw in Microsoft’s Azure cloud system.

“It’s clear that authentication is a mess within Microsoft,” said Adam Meyers, senior vice president at CrowdStrike, which, like SentinelOne, competes with Microsoft in the security business.

Meyers believes it is dangerous for many government customers to rely on Microsoft not only for word processing and email, but also for authentication and security.

“If you put all your eggs in one basket, and that basket is Microsoft, there’s a big egg-shaped hole in that basket,” Meyers said. “You need layered security.”

(c) 2024, The Washington Post