203 comments

[ 37.5 ms ] story [ 252 ms ] thread
Why does the data security industry seem to be so into obfuscated jargon? It’s like a new industry microcosm corporatespeak.

It’s ok to call them countries, hackers, and intrusions.

Microsoft got hacked by Russian government hackers.

My summary understanding of this write-up is that a weak password was guessed and allowed entry into an old system that had access to stuff it shouldn't have had access to.
Your summary is also ambiguous. Were they hacked by the Russian CIA equivalent? Were they hacked by people funded by the Russian government? Were they hacked by people funded by senior government officials?

I think it's possible that the truth is a little murky, and capturing that ambiguity is actually clearer than trying to wave it away

> The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard

https://www.cisa.gov/topics/cyber-threats-and-advisories/adv...

So, they're "Russian Foreign Intelligence Service (SVR) cyber actors"

Im guessing that's like saying they are hired by the Russian equivalent of the CIA and following direct orders from top Russian officials?
While the CIA is a US foreign intelligence agency, I'd hesitate to call them equivalent. Hired by as in, employees of, Russian intelligence? Unless my link is inaccurate, yes.
> It’s ok to call them countries, hackers, and intrusions.

It's not if you want to do business in that country. Or if you annoy allies of that country (accusing certain countries might get senators breathing down your neck!). You are accusing a government of committing a crime, or at least a wildly unethical behavior. Those are huge charges. To your point, I wish they could be more direct, but...

> Microsoft got hacked by Russian government hackers.

It is not known whether this hacking group is private, government sponsored, or government run. They could be a private group that takes both private and government contracts.

If they were funded via government channels, who was it? A higher up person using their personal wealth? A specific agency? Multiple agencies?

The reason they are being so vague is because they don't know the answers, and it is very discrediting to throw around incorrect accusations.

>> It is not known whether this hacking group is private, government sponsored, or government run.

Coming from Russia, that's a distinction without a difference.

Sure, private groups can 'freelance', but not without at least tacit permission from the FSB, GRU, and/or SVR (more accurately, cant freelance for long). Especially so for sch a high visibility target such as Microsoft.

And when the RU govt isdues a denial, it's confirmed.

But still no reason for MS to escalate the wording. They put enough in there that anyone with a clue knows it's serious.

The distinction probably matters to a lot of people at the scale that Microsoft is operating at. They likely worked with some sort of MS US government liaison on the wording.

Operating with tacit approval is not the same as being a government entity. Even you admit there is a small chance that this group is not tacitly approved ("for long"). I mean yeah, we all know the score, but a it's really bad idea to levy heavy charges without knowing the answer 100%.

This statement does pretty heavily implicate the Russian Govt though, yeah :)

This group is also known as CozyBear, if that rings a bell. The US government named them years ago in an announcement kicking out several Russian diplomats. I don’t think anyone is worried about being wrong on this.

https://attack.mitre.org/groups/G0016/

It is government sponsored. It says in the article.

>Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium.

But how do they know that it's sponsored by Russia? They saw the paychecks?
They’ve been around for a while and identified by several governments.

“NOBELIUM is an advanced persistent threat group also known as APT29, which is publicly attributed to the Russian government and specifically to the Foreign Intelligence Service of the Russian Federation (SVR)”

https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-...

It still doesn't answer how they know that: 1) they were hacked by that exact group 2) that group is sponsored by the Russian government.

The only evidence I've seen before in cases like this one was that they found that the hacks happened during Russia's working hours (i.e. Moscow timezone), and that they found some word in Cyrillic in some of the shell scripts. Which is honestly not hard to pull off if you want to hide your true identity. Not saying Russia is not interested in those hacks, but a lot of far-reaching conclusions are often quickly made based on such weak assumptions.

I am not going to go read every MS blog on this group to find the original attribution, but generally it is from reusing infrastructure associated with a government (often even more specifically, a branch of government). IP addresses, correlated email accounts, domains, who they have targeted in the past, code ties between the malware they use, etc. These indicators can be paired with government releases (CISA) or made independently for attribution.

Say some specific infrastructure is used to hack a law firm involved in prosecuting Russia for war crimes in Ukraine. Then that same infra is used to send disinfo targeting Ukrainian groups. Then the some distinct malware used in those attacks is also used to wipe machines in the Ukraine conflict. There are full time groups that track these indicators to tie one attack to another and distinguish groups. This group is likely the SVR.

The US government publicly named this group as a Russian government tool in a diplomatic announcement kicking out multiple Russian embassy employees in 2021. This is linked as a footnote as the citation for this claim made in the article I shared above.
At least for the "Midnight Blizzard" part of the title, it's the result of a naming framework [0] for threat actors that Microsoft has been using since April 2023. I agree it sounds weird.

[0] https://learn.microsoft.com/en-us/microsoft-365/security/int...

The naming framework for these groups isn't even consistent, with every vendor having their own scheme. Midnight Animal to one vendor is Dancing Bear to another and known by Wet Cat to yet another.

They all sound like bad translations to bargain-bin porno movies.

I’m not aware of another company that uses a naming framework.
Crowdstrike. FireEye.
Definitely agree that Crowdstrikes naming veers past what is necessary.

They even draw up supervillain graphics for them.

https://www.crowdstrike.com/adversaries/arcane-kitten/

This is wild. Ethereal Panda? Labyrinth Chollima?!

Why are we modelling threat actors/"adversaries" as a video game bestiary? Or meteorological phenomena in the case of MS?

This is really cool and incredibly stupid.

Like, who is this made to appeal to? Is this meant to make corporate executive browsing for cybersecurity solutions feel like they're in a spy movie?

Cybersecurity professionals, in general, eat this stuff up.
Russia hacks, but so do China, North Korea, Iran and Ukraine. They all have bagged large targets. It could be any of them but could be someone else as well.
(comment deleted)
As does UK and the USA. Maybe it's Microsoft hacking it self; GPT style.

If so, hello Skynet.

It largely boils down to the same reason scientists classify animals into taxonomies. It helps to have a framework for classifying the groups so you can refer back to them in the future.

Going back to my example with taxonomies: Yeah, you got bit by a spider, but exactly which kind of spider bit you? What do we know about those kinds of spiders, e.g. are they known for being venomous or not, does their bite have a well-known reaction in humans, etc.

Woah. Easy there. It sounds like you're trying to start a flamewar by singling out Russia. Don't you know that every country does this?! Please preface any accusations against Russia with paragraphs of anti-Western invective. /s
this reminds me of guys trying to out-shout each other about who wants to fight the most, in front of a lot of (Ynews) onlookers
Interesting that they seem to suggest that applying security is now more important than avoiding service disruptions. This may be the hopeful dawn of a new era.
It is indeed the beginning of a new AI related era. But why cloud services, Microsoft? There is already a new infrastructure on the way better suited for AI, called edge computing. I'm not talking about completely eliminating cloud services. But solely depending on these kind of services could lead to further problems later due to this topic (national security) is very serious for all of us.
I work in the security space. It is the dawn of an era where all the makers are stamped down under the boot ridiculous security theater via regulation for "security" and "protection" and the current interests become entrenched to ensure a couple of guys in their garage can no longer upset the behemoths of the tech space.
Well well well.. how the turn tables.

It's karma after years of my windows machine forcing a restart for a security update while I'm working on something in the middle of the day..

It won’t be. Everyone will forget about this in a week and it will be BAU. Like every other breach.
> access a very small percentage of Microsoft corporate email accounts

Ok, so far so good.

> including members of our senior leadership team

Ahhh, so maybe the attackers were after the senior leadership team and therefore stopped at the "very small percentage".

Seems weird to word it as “a very small percentage” instead of “a very small number” unless the number was a little bigger than they want to admit.
yes, at least 1% of their users

which is a very large number

> To date, there is no evidence that the threat actor had any access to customer environments, *production systems*, source code, or AI systems.

senior executive's email accounts aren't production?

having every western company use the garbage that are Microsoft's hosted products (notably Teams and Outlook) is a national security issue that's a massive disaster that's just waiting to happen

I agree around teams and outlook, but what is the alternative? Google? AWS? Self host? Honest question, because the way enterprise tends to work, they want to offload the responsibility to a third party so When information does leak or get hacked, they can blame someone else.
> but what is the alternative? Google? AWS? Self host?

I mean, given this was possible:

> used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts

pretty much anything is going to be better than letting Microsoft host your email/corporate data

[flagged]
(comment deleted)
Google or self-host.

With self-hosting you get to use thing now considered legacy (e.g., IMAP servers), but I definitely have seen them working for organisations with thousands of employees. You’ll need staff to support it, too, but at some scale it will none be more expensive than cloud services. Yet, you’ll have more control over it.

OTOH, some things will definitely be less feature-rich, for example, on-prem Sharepoint (not that I recommend using it) may not live up to the expectations of users familiar with the online version.

The denominator is "Microsoft corporate email accounts." I interpret that as email accounts of the Microsoft organization (management, employees, and so on), but not customers.

It's pretty embarrassing and not very reassuring that they themselves got owned, but they wanted to tell their customers that they didn't.

This kind of attack can happen on any tech stack where bad passwords have ever been allowed. The dunking is obviously fun, but the fact that the underlying technology happened to be Microsoft’s is largely irrelevant.
Yeah, it’s just that less legacy conpanies have less chance of having a system that can be compromised in this way. Conversely, Microsoft is almost guaranteed to have it.
Ahh, a cult follower, let me guess, you are doing C# full time and it is the greatest programming language ever created ?
(comment deleted)
I’ve noticed in PR it’s very common (I’d say even standard practice) to use percentages to hide absolute numbers, and vice versa
Haha "...access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents."

Seems like a big deal. Also, this may be why I've been getting massive amounts of "unusual account sign-in activity" emails for Microsoft about an old outlook account i no longer use...

Hopefully these state actors can get access to my vsts server i no longer can find and deploy an old app for me ;)

What does the title mean?
The title here matches the title of their blog post, which I agree is poorly worded.
> poorly worded

Or intentionally obfuscated "we were hacked".

I believe “Actions taken by Microsoft following an attack by a group named Midnight Blizzard, who are backed by a nation-state”.
I had to read the title multiple times but couldn't make sense of what is exactly happening.

Why is this happening to English?

The other day, there was a story about an airplane window that got melt and many native speakers couldn't make sense of what the title of the story meant?

In that case too, as a non native speaker of English, I blamed myself first for not understanding the language well enough.

Did they release this late on a friday to downplay the scope of the attack?

If they had top leadership accounts and service accounts hacked just by password protection sounds like a major security fubar.

Releasing news after the stock market is closed gives traders a chance to digest the news before trading begins the next day.

(Which doesn't explain why it's on a Friday.)

trading MSFT doesn't cease when the NASDAQ closing bell rings
Still, it seems to be the custom.
if you're a retail investor maybe

there's thousands of ways to get exposure to MSFT one way or the other beyond the primary market

it's the custom because it's not just stock trading that they care about, it's brand/image, and weekends give the story time to disappear from the headlines, being replaced by new stories. Fewer people are paying attention to the news over the weekend.
It could be sort of neat if there was a convention for all news agencies and press rooms to queue up all their stories and release them after the end of the business day.

Why advantage parties that can process in less than 12 hours? Rushing analysis just makes it worse.

traditionally, the weekend gave even more time to sleep on it. modern near 24/7 trading makes that less of thing. back when the traders went home, there was a cooling off period. just like the circuit breakers to stop trading on big loss days to get the humans to stop and think for a second/minute/overnight. the high frequency trading doesn't have these emotions to cool down from, so it's still something that seems to be done on tradition now.
Microsoft filed this late today with the SEC[1] just before they stopped accepting new filings for the day under their new Cybersecurity Incident disclosure rule[2]. FWIW, two other publicly traded companies disclosed[3] their breaches since the rule went into affect last month.

[1] https://www.sec.gov/Archives/edgar/data/789019/0001193125240...

[2] https://www.sec.gov/news/press-release/2023-139

[3] https://last10k.com/stock-screeners/cybersecurity

Actually there has been more, e.g. LoanDepot, Inc [1], and then various amended 8-Ks. I’ve been hacking on a side project to parse the 8-K data which is all over the place, including some companies still reporting under old “items” like 8.01 vs the new 1.05 material cybersecurity incident item.

If folks are interested in this space, I just got the mailing list [2] running last night and you can see a list of all the current incidents on my Incident Tracker [3].

I have many more data points I plan on tracking as well as adding 10-K GRC items to the list (potentially helpful for CISOs, other risk managers and investors to eval a companies risk management maturity).

Welcome any feedback!

[1] https://www.board-cybersecurity.com/incidents/tracker/202401...

[2] https://www.board-cybersecurity.com/alerts/

[3] https://www.board-cybersecurity.com/incidents/tracker/

(comment deleted)
They should look at upgrading their Entra ID plan to P2 in order to protect against these attacks.
And all things considered, an AI security assistant like Copilot might be a good investment too, if they lack highly skilled front line security staff. Not to mention, AI generated automated playbooks in Sentinel to automatically apply Zero Trust principles!

I also wonder if they had upgraded all of their Subscriptions to Defender for Cloud CSPM Tier 2 in order to use the premium Cloud Security Attack Graph explorer, and then enabled Workload protections, this tragedy could have been averted.

It’s going to take an army of motivated sales engineers to protect against these new cybernetic attacks by augmented warfighters.

Lost my sanity there for a moment before realizing what you did. Good job!
I wonder if they switched from user-based MFA to Conditional Access MFA yet, maybe they forgot to enable alerting for non-interactive logins. Maybe they forgot to update the Log Analytics Agent to the Azure Monitoring Agent. /s
> Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts [...]

> The attack was not the result of a vulnerability in Microsoft products or services.

Hmm...

They mention it was a password spray guess.
I'm guessing they don't know what a password spray is?
What is it? Just spam a form with passwords?
Well, your "legacy non production test tenant" can be opened by just guessing passwords, and it allows access to "very much in use production non-test" tenants, then you could say MS has a vulnerability. It may not be a buffer overflow, but it is a vulnerability nonetheless.
Yes, and I think most people would consider it a vulnerability if an authentication system doesn't rate-limit or otherwise slow/stop "password spray" attacks.
You can rate limit individual users but password spray attacks use a large number of accounts to remain undetected in a authentication system used by an even more users.
We are getting 10000x times the number of wrong passwords than average, I'm sure it's nothing to worry about.
It was a legacy test system connected to a production system so it doesn't count. Obviously. /s
{rolls eyes}

This is precisely the kind of 1990's level basic heuristic that this company cites as part of their Sentinel security system.

Trying to excuse a breach by 'the attacker tried a few passwords against lots of different accounts' is not compelling.

My point is that if one can guess the password on a random test box and through that gain access to critical internal systems, you have lost the right to call your system "not vulnerable".
(comment deleted)
It’s technically correct but misleading: the products are not inherently flawed but their lack of MFA means the product wasn’t used in a secure configuration. I hope that this is held against them by regulators or in court because they’ve known and even advocated for FIDO-2/WebAuthn for years and there’s no excuse for not requiring them by policy.
"We were pwned by the Russians (again) and they were reading all of Satya's emails, but it's okay, they were just looking for shout-outs to post in their interoffice Telegram channel for the lulz."

I understand that the company has to minimize every breach but this frankly looks a lot more serious than Microsoft suggests here.

I love how they emphasize only few were exposed. Like just a few, only our senior staff and cybersecurity team... I mean -- they aren't lying, but... Wow
"very small percentage"

1% of 238,000 employees is a "very small percentage" and still 2,380 employees. Insight into certain operational information and potentially undisclosed/unpatched zero days could be monumentally valuable to a nation state actor.

Isn't the rule "if you are being targeted directly, lose all hope"?
I wonder, is it any different, if it's not just average "you", but CEO? Don't they have additional security measures? May be not, I think Jeff Bezo's WhatsApp was hacked few years ago...
Never lose hope. If you can't protect the data, poison it!
The Friday evening blog post also seems designed to brush this under the rug.

"We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes"

In other words: Microsoft will adopt their own security standards. Curious whether their SOC reports mention these are optional?

And somehow it's always cross tenant issues for easy lateral movement, because Azure ASNs are always allowlisted specifically to bypass all kinds of filters.

Microsoft is pretty learning resistant lately. Always prioritize the spamming customers, I guess?

Not to downplay the severity but honestly, every breach I read about seems “serious” but very rarely does anything of consequence happen with these events.

Azure was owned pretty hard a while back, very little was ever heard of it again.

Is the drama of them appealing ? What might we expect to happen from this ? They’ve read Satya’s email ?

How do you know if nothing happens? It isn't like the people siphoning, selling, or purchasing this data are broadcasting their wins on news aggregators.
It makes the news when an entity like Microsoft gets cracked, but when their users get robbed or otherwise hurt as a consequence it will hardly make the news. You not knowing of the consequences doesn't mean they don't exist.
The company will be making record profits next year. There maybe consequences but nothing consequential in the grand scheme of things.
Turns out there's more possible consequences than company profits being impacted.

Users are more than just things you milk for cash, they're people that trusted you and your product.

I find this reply incredibly cynical.

GP is clearly saying "this is important because small people will get hurt invisibly" and your hot take is that them being exploited isn't going to impact Microsoft's bottom line, so this isn't newsworthy?

This is vice-signaling.

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.

It says nothing about users being compromised.

This is why they won’t do anything about it though ? Do you understand how it works ?

They’re not going to do anything about the consequences for the users until it impacts their profits.

Name one person who is done with Microsoft after this?

I think the confusion lies between the terms "consequences" and "consequences for Microsoft". There won't be consequences _for Microsoft_ but there will be consequences for regular people. Saying there won't be consequences full stop implies you don't consider the damage to regular people as worthy of discussion or consideration
> It says nothing about users being compromised.

Making my point. It doesn't mean users weren't compromised. And even if it did, that doesn't make it so for every security breach.

> Azure was owned pretty hard a while back, very little was ever heard of it again.

From what I recall, it was a Chinese APT (designated as Storm-0558, which I think means they could not reliably attribute it to any group: https://malpedia.caad.fkie.fraunhofer.de/actor/storm-0558), that was sitting on developers’ workstations long enough to get access to master signing key from a memory dump that ended up on one of the workstations. They then used it to access US government officials’ emails (Department of State if I recall correctly), which supposedly gave China a strategic advantage and a better understanding of inner workings of US foreign policy.

You will not see it in news that China got favourable terms in some negotiations with a country in Africa (are of Chinese interests) and US got least favourable terms than they could’ve gotten because the Chinese negotiators knew something.

I like this bit

  ... a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. 
Yeah, at least they make a very small percentage of all Microsoft employees I guess
Also this:

"To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems."

So email accounts of senior leadership and employees in cybersecurity are apparently not production systems.

They mean root access on the production email servers, not access to individual email accounts.
"any access to customer environments, production systems, source code, or AI systems" does not mean root access. It can also mean access to data.
No, they are not. Production systems are the systems that are producing money. If they stop running for an hour, it directly costs the company money through SLA penalties, etc. If the internal email server goes down for an hour, it might cause some employee productivity loss, depending on the timing.
That may be how Microsoft would like to portray it but I disagree.

A production system is a system that is operated to serve its actual purpose rather than being used as a development or testing environment.

From the point of view of in-house IT, the company's email server is a production system. It is what they produce for their in-house customers.

That is how it has been defined at every SAAS company I have worked for. When someone says there is an outage in production, it means your product.
In the context of an outage at a service provider this slightly sloppy language is sufficient to convey all relevant meaning.

In the current context, this language is part of a pattern to carefully choose words in such a way as to downplay what has happened.

As I said, the work of the CEO, the cybersecurity team and the legal team is part of the overall production process at a software company.

Okay, but then why also not consider chairs breaking in the office to mean part of the production is down? Or a coffee machine?
If my coffee machine suddenly stopped working it would definitely have a detrimental effect on production. I can guarantee you that :)

But in general I would say routine janitorial maintenance issues don't have quite the same potential to affect production as Russian criminals reading the email of Microsoft's cybersecurity team.

If the blog post was written by their internal IT team, you’d be totally justified in reading “production” to include their internal systems.
No. Whether or not a system runs in production as opposed to a testing/development environment is not a question of who is writing a blog post.

Microsoft produces software and services. The communications of their CEO as well as their cybersecurity and legal teams is part of that overall production process.

(comment deleted)
The only defintion that matters is the practical definition that most people would think of, not what the “book” says. Whenever someone tells me “production is down” I think that customers are screwed. If they told me our internal email servers are down, I would smack them in the head cause my stress levels went up for nothing. Internal servers is not production.
I think I disagree but we might be in agreement based on your thoughts… internal servers that are in the path of data pipelines that customers need are also production. For example, let’s say you have a warehouse and there is some way to manage inventory in there. No customer goes into Microsoft dynamics themselves. However, this Microsoft dynamics is production because our customers rely on the data this provides.

It doesn’t matter to customers if Microsoft teams is down and we are talking to each other internally using iMessage and signal but anything that is in the data path is production.

But we're not talking about a service outage. In the context of an outage at a service provider I might agree with you.

In this instance, a system used by the cybersecurity team to do its actual job was breached - not some development or testing server.

We don't know what it was exactly that these attackers were looking for or what they found. But it is absolutely possible that the information they gained enables them to protect an ongoing or future attack against Microsoft's customers.

> Internal servers is not production.

I’m going to take a wild guess here and say you don’t really run any kind of system. “Internal is not production” is the weirdest statement I have heard in a long time.

Of course these systems are production. Not only production, but _P1_ level production.

Test environments serve the production purpose of testing software.
That's pure sophistry.

A system used by the cybersecurity team for its day to day work was breached by attackers constantly trying to break into customer systems.

When having an incident like that, always figure out what is the largest denominator you could compare the exposure against.
Is there any basis for this group being "nation-state" or are they just trying to make themselves seem less incompetent by inflating the attackers' reputation?
Well, Microsoft always took security very seriously. Oh, wait... /s
I wonder which mail client the execs were using. If Outlook, their messages would be already harvested by 700+ companies[0] and another leak wouldn't be an issue.

[0] https://news.ycombinator.com/item?id=38441710

[0] https://news.ycombinator.com/item?id=38953618

“it was Russia, they went thata way!”

this presents no proof, but I’ve read lots of krebs security proof on other exploits and I think it is all very weak

nothing is stopping anybody here from putting breadcrumbs in a payload to point the finger at North Korea or a former Soviet state

This is kind of a silly standard that allows hackers to operate with impunity and companies to avoid accountability and the fbi from not bothering

Depends. If the breadcrumbs are key material which correlates to other known incidents from the same group, or exclusive tooling, or C2 infrastructure, then there is definitely something stopping them from putting breadcrumbs there. They'd have to hack the other group first in order to do so.

I agree with you that seeing evidence would be nice, but I understand that there is the possibility that evidence supporting the claim exists and at the same time cannot be released to the public.

As we've seen, many of the cybersecurity teams have been pwned, so a large part of the breadcrumbs they'd pattern match are already out there. Additionally, if security is poor enough, there can be more than one hacker into a system, which is another way they could accumulate breadcrumbs. This has precedent - there has been malware that uninstalls other malware.
Many? I'm only aware of the Equation group, believed to be the NSA, whose extremely powerful tools were made public.

What other threat actor's internals (and I mean more then chat logs) have been made public?

Why would they have to be made public? They only have to be known to a handful of other nation states.
Because this discussion is about the comment "Nothing is stopping anybody here".

I already conceded in my original response that if you hacked another group first, then yes, you can leave fake breadcrumbs.

My point is that this has already been done. It's not a question of if. Once that's done, these things can spread around.

And I'm also saying you don't necessarily need to hack another group to find their tools.

How did they pivot from a test tenant to corporate email access?

That's the most concerning fact that they just glossed over.

You know, they pivoted.

Non-production tenant PIVOT Satya’s email inbox. Like that.

1. Password spray

2. Access non-prod environment

3. ???

4. "Look at me, look at me, I am the CEO now."

I reflexively read #4 to the tune of Flobots - Handlebars
It was a "Captain Phillips" reference for me.
Reflexively? That song is almost 20 years old! (oh god now I feel old too)
(comment deleted)
Just guessing but perhaps with a phishing attack on a Microsoft domain.
This is genuinely something I hadn't considered. A test tenant may have been in a more than ideal position to stage phishing attacks from. Hopefully this is the case, and not a more concerning lack of disclosure or shudder NSL situation.
I suspect more corpos have exposure like this than any of them would like to admit. E.g.: BigCo picks up a company SmallCo, and inherits their systems for some time. There's some cruddy ancient CRM, IT or travel system, and some random test tenant, that has hooks to email, and from there it's a short step to enumerate targets, send auto-generated emails from a trusted system and the hackers are off to the races.
Yes, it can be an endless headache. A company I worked for had acquired a smaller company with some products and services that nicely complimented our own products and services. From the outside it was a good match and for the most part, the integration went well but they had been using Rational Clearcase for over two decades and absolutely didn't want to migrate to git and the rest of our tool suite. They had very little turnover in their IT department and things ran very well for them but higher ups wanted everyone integrated into a single system and the accounting folks wanted to stop paying fees for all the Rational stuff, especially since they hated dealing with IBM. Infosec had pretty much no knowledge of how to best secure anything on that side and the acquired company had nearly no infosec capabilities of their own. When I left, it was still a point of contention that didn't look to get resolved any time soon.
I wouldn't put it passed them to straight up lie about the vector. How many have worked in these situations where some slick dicky worked up the word salad to make issues sound like non-issues?
>Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts

I have so many questions from this sentence alone. What did they password spray? Microsoft's internal identity provider? Was the non-prod system internet facing? Why isn't MFA enforced?

Indeed. How can they not be mandating MFA?
Maybe this is why it only affected leadership team. Maybe they can circumvent requirements meant for lowly employees.
They got Kerberoasted and don't want to admit it publicly.
Um. Why does "a legacy non-production test tenant account" have "permissions" for "email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions"?
The usual reason include: oversight; mistake; incompetence.
Swiss cheese security as usual
MS is a joke at security and they prob have 2000 person in a building doing this stuff too
>Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium

How do they identify those groups?

They are just making it up.

Security people seems to be of the militaristic type ofent, so I guess they add a slive of war mongering to it to to play ball.

Iran, North Korea and what not. Very convenient since it is not falsifiable in practice.

They are certainly identifiable from their work. State hackers are professionals and they work like other professionals do; they work 9-5 in their local time zone and they have modular implants with code reuse. Amateurs aren't like this.
That's basically the only argument I've heard so far - if a hacking activity happens between 06:00 UTC and 14:00 UTC then it must be the Russians, otherwise it's someone else. Doesn't sound like a very strong argument?

"Modular implants with code reuse" - sounds like exploit kits you can buy on hacking forums.

> "Modular implants with code reuse" - sounds like exploit kits you can buy on hacking forums.

This isn't a category argument, they're using a different one than what you can get on forums.

From the artifacts they leave behind after the attack, broadly speaking.
Easily, they have "vam pizda" and "blyat" sprayed around in their malicious scripts.
Now I understand why Microsoft bought Activision Blizzard. So they could fight Midnight Blizzard.