Microsoft said it's still trying to evict the elite Russian government hackers who broke into the email accounts of senior company executives in November and who it said have been trying to breach customer networks with stolen access data.
The hackers from Russia's SVR foreign intelligence service
used data obtained in the intrusion, which it disclosed in mid-January, to
compromise some source-code repositories and internal systems, the software
giant said in a blog and a regulatory filing.
A company spokesman would not characterize what source code
was accessed and what capability the hackers gained to further compromise
customer and Microsoft systems. Microsoft said Friday that the hackers stole
“secrets” from email communications between the company and unspecified
customers — cryptographic secrets such as passwords, certificates and
authentication keys —and that it was reaching out to them “to assist in taking
mitigating measures.”
Cloud-computing company Hewlett Packard Enterprise disclosed
on Jan. 24 that it, too, was an SVR hacking victim and that it had been
informed of the breach — by whom it would not say — two weeks earlier,
coinciding with Microsoft’s discovery it had been hacked.
“The threat actor’s ongoing attack is characterized by a
sustained, significant commitment of the threat actor’s resources,
coordination, and focus,” Microsoft said Friday, adding that it could be using
obtained data “to accumulate a picture of areas to attack and enhance its
ability to do so.” Cybersecurity experts said Microsoft’s admission that the
SVR hack had not been contained exposes the perils of the heavy reliance by
government and business on the Redmond, Washington, company’s software
monoculture — and the fact that so many of its customers are linked through its
global cloud network.
“This has tremendous national security implications,"
said Tom Kellermann of the cybersecurity firm Contrast Security. "The
Russians can now leverage supply chain attacks against Microsoft’s
customers."
Amit Yoran, the CEO of Tenable, also issued a statement,
expressing both alarm and dismay. He is among security professionals who find
Microsoft overly secretive about its vulnerabilities and how it handles hacks.
“We should all be furious that this keeps happening,” Yoran
said. "These breaches aren’t isolated from each other and Microsoft’s
shady security practices and misleading statements purposely obfuscate the
whole truth.”
Microsoft said it had not yet determined whether the
incident is likely to materially impact its finances. It also said the
intrusion's stubbornness “reflects what has become more broadly an
unprecedented global threat landscape, especially in terms of sophisticated
nation-state attacks.”
The hackers, known as Cozy Bear, are the same hacking team
behind the SolarWinds breach.
When it initially announced the hack, Microsoft said the SVR
unit broke into its corporate email system and accessed accounts of some senior
executives as well as employees on its cybersecurity and legal teams. It would
not say how many accounts were compromised.
At the time, Microsoft said it was able to remove the
hackers' access from the compromised accounts on or about Jan. 13. But by then,
they clearly had a foothold.
It said they got in by compromising credentials on a
“legacy” test account but never elaborated.
Microsoft's latest disclosure comes three months after a new
U.S. Securities and Exchange Commission rule took effect that compels publicly
traded companies to disclose breaches that could negatively impact their
business.