Microsoft is offering an update into the hack it first reported in January—and things aren’t looking good. The tech giant says state-sponsored hackers, backed by Russia, are still trying to access its systems and successfully stole “some of the company’s source code repositories and internal systems.”

The hackers, who call themselves Midnight Blizzard or Nobelium, were also responsible for the SolarWinds attack that compromised the Treasury and Commerce Departments in December 2020.

“In recent weeks, we have seen evidence that Midnight Blizzard [Nobelium] is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” Microsoft wrote in a blog post. “This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”

Obtaining source code is a big win for hackers, as it lets them discover how a software program functions, allowing them to probe it for weaknesses. That knowledge can be used to launch follow-up attacks in unexpected ways.

In a filing with the Securities and Exchange Commission (SEC), Microsoft said the attack has not had a material impact on its operations, but warned that was still a possibility, despite increased security investments and coordination with federal law enforcement officials.

“Since the date of the Original Filing, the Company has determined that the threat actor used and continues to use information it obtained to gain, or attempt to gain, unauthorized access to some of the Company’s source code repositories and internal systems,” the filing reads. “The threat actor’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus.”

Microsoft said the hacker group was attempting to access both company secrets as well as secrets shared between Microsoft and its customers. It is reaching out to affected companies to offer assistance, it said.

Midnight Blizzard/Nobelium initially breached Microsoft last year, using what’s known as a password spray attack, a brute force method where hackers attempt to use a catalog of possible passwords. The initial attack came soon after a security attack on the company’s Azure cloud system.

The hackers are ramping up those sorts of attacks now.

“Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as tenfold in February, compared to the already large volume we saw in January 2024,” Microsoft said.

The chief focus of the hackers is intelligence gathering. Midnight Blizzard/Nobelium most often targets governments, think tanks, information technology service providers and diplomats in the U.S. and Europe and is thought to share the information with Russia’s foreign intelligence service.

Russia has denied involvement in the attack.

Microsoft said its investigation of the attack is still ongoing and it will continue to give updates on what it finds. In the meantime, it added, it has “enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat. We have and will continue to put in place additional enhanced security controls, detections, and monitoring.”


2 thoughts on “Microsoft says Russian hackers continue to attack—and stole some of its source code”

Leave a Reply

Your email address will not be published. Required fields are marked *