Microsoft said Friday that Russian hackers accessed the email accounts of several senior executives at the company, taking email messages and attached documents in a cyberattack that began in November.
Microsoft said it detected the intrusion just one week ago, on Friday January 12, and promptly shut it down. The company is currently working with law enforcement and examining the material accessed by the hackers to determine the impact of the attack, it said in a regulatory filing on Friday.
“There is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” Microsoft said in a separate blog post about the incident, noting that it would notify customers if any action is required.
The length of time that the incident went undetected, and the fact that emails of Microsoft’s top executives were accessed, is an embarrassing lapse for the software giant, the world’s most valuable company with a roughly $3 trillion stock market valuation. And at time when advanced artificial intelligence technology like Microsoft’s and its close partner OpenAI’s has become a central aspect of geopolitical rivalries, the breach is likely to raise broader concerns over the security of important American technology.
“This is a big deal, and Microsoft owes all of us a much more detailed description of what happened,” said Alex Stamos, a cybersecurity expert at security firm Sentinel One, in a social media post following the announcement on Friday.
In its blog post, Microsoft pointed the finger at Midnight Blizzard, a Russian state-sponsored hacker group also known as Nobeliumm. The same group was responsible for the infamous cyberattack on the software firm SolarWinds in 2020, compromising its widely utilized tool for IT management and monitoring called Orion, giving the group access to sensitive information a government agencies and prominent corporations.
Begininng in late November, the hackers used a so-called “password spray attack” to access a “legacy non-production test tenant account and gain a foothold,” Microsoft explained in the blog post. Microsoft said the attack was not the result of a vulnerability in Microsoft products or services.
In a 2021 blog post, Microsoft had announced that it was “auditing unused privileged accounts and working with partners to assess and remove unnecessary privilege and access.” However, that’s exactly how the Russian hackers gained access, according to the regulatory filing.
According to Microsoft, the hackers “gained access to and exfiltrated information from a very small percentage of employee email accounts,” belonging to unnamed senior executives a well as members of the company’s legal team and cybersecurity team.
As a result of the attack, Microsoft said on Friday, it was immediately applying its current security standards to legacy systems and to internal business processes.
“This will likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy,” Microsoft said.
Do you have insight to share? Got a tip? Contact Kylie Robison at kylie.robison@fortune.com, through secure messaging app Signal at 415-735-6829, or via X DM.
