Microsoft on Friday disclosed that a Kremlin-backed threat actor named Midnight Blizzard (also known as APT29 or Cozy Bear) was able to access some of its source code repositories and internal systems after a breach that was discovered in January 2024.
“In recent weeks, evidence has shown that Midnight Blizzard is using information obtained from our corporate email systems to gain unauthorized access,” Microsoft stated.
“This included getting into some of our source code repositories and internal systems. So far, there is no indication that customer-facing systems hosted by Microsoft have been compromised.”
Microsoft is still investigating the breach and mentioned that the Russian state-sponsored actor is trying to make use of the different types of information it acquired, including details shared between customers and Microsoft through email.
The company did not specify the nature or extent of the compromise, but confirmed that affected customers have been contacted. The specific source code accessed was not disclosed.
Microsoft also revealed that it has increased its security investments and noted a significant increase in password spray attacks by Midnight Blizzard in February compared to January.
The ongoing attack by Midnight Blizzard demonstrates a sustained and significant commitment from the threat actor, indicating a high level of coordination and focus, according to Microsoft.
This incident is part of a broader trend of sophisticated nation-state attacks that pose an unprecedented global threat, the company added.
The breach at Microsoft occurred in November 2023 when Midnight Blizzard used a password spray attack to infiltrate a non-production test tenant account lacking multi-factor authentication (MFA).
In late January, Microsoft warned that APT29 targeted other organizations using various initial access methods, from stolen credentials to supply chain attacks.
Midnight Blizzard is associated with Russia’s Foreign Intelligence Service (SVR) and has been active since at least 2008, targeting high-profile entities like SolarWinds.