Last week Microsoft revealed that it had discovered an attack on its corporate systems by Russian hackers, known as Nobelium. Hackers were able to access the email accounts of some members of Microsoft's management team, potentially spying on them for weeks or months. While Microsoft didn't provide many details about how the attackers gained access in its initial SEC filing last Friday, the software maker has now published an initial analysis of how hackers overcame its security.
Nobelium initially gained access to Microsoft's systems through a “password spray attack“. This type of attack sees hackers using a dictionary of potential passwords against accounts – it's unrefined as a method, but it clearly works. Notably, one account that was compromised did not have two-factor authentication enabled.
Nobelium “has adapted its password spray attacks to a limited number of accountsusing a low number of attempts to evade detection,” Microsoft explains.
Since this attack, the group “has exploited initial access to identify and compromise an OAuth application that had high-level access to the Microsoft enterprise environment”. OAuth is a widely used standard for token-based authentication. It is commonly used on the web to allow access to applications and services without having to provide your password to a website.
This privileged access allowed the group to create more malicious OAuth applications and create accounts to access Microsoft's corporate environment and ultimately the Office 365 Exchange Online service that provides access to email inboxes.
What are the damages of the attack?
Microsoft did not disclose the number of accounts of business emails that were targeted and that the hackers gained access to, but the company previously said that these were “a very small percentage of Microsoft business email accounts, including members of our senior leadership and employees across our cybersecurity, legal and other functions.”
Also, Microsoft has not yet revealed an exact timeline about how long the hackers spied on its management team and other employees. The initial attack occurred in late November 2023, but Microsoft only discovered it on January 12. This could mean that the attackers have been spying on Microsoft executives for nearly two months.
Meanwhile, Microsoft also fired 1,900 employees from its gaming division.
#Microsoft #spied #Russian #hackers #months #explain #happened