The Russian state-sponsored bad actors who hacked into the corporate email accounts of executives at Microsoft are taking another run at the IT giant, this time using information stolen then to access the company’s source code repositories and other internal systems now.

The Midnight Blizzard group – also known as Nobelium, Cozy Bear, and APT29 – initially was detected in Microsoft’s email system in January and has since been running an ongoing, calculated campaign since, ramping up its efforts in February since what the tech vendor said was already a significant push in January.

So far, the company has “found no evidence that Microsoft-hosted customer-facing systems have been compromised,” the Microsoft Security Response Center (MSRC) wrote in a blog post Friday.

“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found,” the MSRC wrote. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.”

The ongoing attack involves what Microsoft describes as a “sustained, significant commitment of the threat actor’s resources, coordination, and focus,” adding that the bad actors could be using the information is already has stolen to pull together a picture of areas to attack and to improve its ability to do so.

“This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks,” the MSRC wrote.

Threat Group First Detected in January

Microsoft security pros in January determined that the Midnight Blizzard actors has been present in a “very small percentage of employee email accounts including members of our senior leadership team and employees in our cybersecurity, legal, and other functions” since late November 2023, the company wrote in a filing with the U.S. Securities and Exchange Commission (SEC) Friday.

In its first report that month, Microsoft said Midnight Blizzard used a password spray attack to compromise a legacy non-production test tenant accounts to get a foothold into the company’s systems and then used the account’s permission to access the corporate email accounts. Initially the threat actors were looking for information related to Midnight Blizzard itself, the company wrote.

A password spray attack is a brute-force attack that involves the bad actor using the same password on multiple accounts before trying to use another one.

Linked to Russian Intelligence Service

Midnight Blizzard is linked to Russia’s Foreign Intelligence Service (SVR) and has been around for more than a decade. It’s best known for the high-profile software supply-chain attack on SolarWinds. The threat group first breached SolarWinds’ system in 2019, but wasn’t detected until 2020. During that time, Midnight Blizzard dropped a remote access trojan (RAT) into SolarWinds’ Orion software that was widely used to manage IT systems for more than 30,000 customers that included not only commercial businesses but also U.S. government agencies.

The hack of Microsoft’s systems also drew a lot of attention, particularly given the amount of time the attackers were able to spend inside before being detected.

Around the same time that Microsoft made the attack public, Hewlett Packard Enterprise reported in an SEC filing that the same group also had broken into its cloud-based email environment. HPE was notified about the breach in December 2023 and an investigation later found that Midnight Blizzard beginning in May of that year had accessed and began exfiltrating data “from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”

Microsoft said Friday that it had increased its spending on security tools and coordination across the enterprise in response to Midnight Blizzard’s ongoing campaign and had their “ability to defend ourselves and secure and harden our environment against this advanced persistent threat.”

An Old Exploit Story

Some security professionals said it wasn’t surprising to see the threat group continue to leverage the advantage it gained by getting into Microsoft’s systems. Tim Callan, chief experience office at Sectigo, said the exploit began with the same basic compromising of credentials that is seen in almost all similar attacks.

“Once the attacker has inappropriate access, a whole host of additional malicious activity becomes possible,” Callan said. “Stronger authentication methods, including PKI-based authentication, are our single most powerful defense against these breaches.”

That said, John Bambenek, president of Bambenek Consulting, warned that when something like source code is stolen, a company’s security team needs to consider how that information can be used in future attacks on the organization and its customers.

“Ironically enough, secrets being part of the data being stolen makes this work a little easier,” Bambenek said. “Attackers naturally gravitate towards credentials so defenders can put more strict monitoring on the underlying accounts to look for misuse – after rotating the keys or passwords, of course. That seems to be what’s driving the additional insights Microsoft provided this morning.”

However, this isn’t like tradition expulsion efforts in incident response, where defenders simply close whatever doors the attacker opened. Instead, “source code and secret theft requires ongoing monitoring, remediation, and response months after the breach was mitigated,” he said.