In a regulatory filing on Friday, Microsoft revealed that the Russian intelligence group Nobelium, notorious for the SolarWinds breach in 2020, had accessed some of the software maker’s top executives’ email accounts. Detected by Microsoft last week, the attack marks a recurring intrusion by Russian hackers into the company’s systems.
This incident unfolds against the backdrop of the ongoing conflict between Russia and Ukraine, where state-sponsored cyber-attacks pose an increased threat, especially during times of armed conflict. Microsoft’s announcement aligns with new U.S. requirements for disclosing cybersecurity incidents, emphasizing a commitment to transparency and adherence to the evolving rules.
According to Microsoft, the breach occurred in late November when Nobelium gained access to a legacy non-production test tenant account. Subsequently, the group utilized the account’s permissions to access a small percentage of Microsoft corporate email accounts, including those belonging to senior leadership and employees in cybersecurity, legal, and other functions. The infiltrators exfiltrated some emails and attached documents.
Despite the breach, Microsoft assures that there is no evidence of Nobelium accessing customer data, production systems, or proprietary source code. The Cybersecurity and Infrastructure Security Agency (CISA) is closely collaborating with Microsoft to understand the incident’s impacts and protect potential victims.
Nobelium, also known as APT29 or Cozy Bear, is linked to the Russian foreign intelligence service SVR and has a history of sophisticated hacking attempts on U.S. allies and the Department of Defense. While Microsoft is actively investigating the breach, the Federal Bureau of Investigation (FBI) is aware of the attack and is working with federal partners to address the situation.
As the investigation unfolds, Microsoft pledges to take additional actions based on its outcomes and continues to collaborate with law enforcement and regulators to enhance cybersecurity measures.
