Microsoft revealed on Friday that it continues to grapple with expelling Russian government hackers associated with the SVR foreign intelligence service. These hackers breached the email accounts of senior Microsoft executives in November and have since been attempting to infiltrate customer networks using stolen access data. The SVR hackers utilized the data obtained during the intrusion to compromise source-code repositories and internal systems, with Microsoft disclosing the incident in mid-January.
The company spokesperson did not specify the accessed source code or the capabilities gained by the hackers to further compromise customer and Microsoft systems. Microsoft stated that the hackers pilfered "secrets" from email communications, including cryptographic secrets such as passwords, certificates, and authentication keys. The company is actively reaching out to affected customers to aid in implementing mitigating measures.
Hewlett Packard Enterprise also disclosed on January 24 that it fell victim to SVR hacking. The ongoing nature of the attack by the threat actor, characterized by sustained commitment and coordination, raises concerns. Microsoft warned that the obtained data could be used to build a comprehensive picture for future attacks. Cybersecurity experts highlight the national security implications, emphasizing the risk of supply chain attacks against Microsoft's customers.
Amit Yoran, CEO of Tenable, expressed alarm and dismay, criticizing Microsoft for being overly secretive about vulnerabilities and handling hacks. Microsoft clarified that it has not yet determined if the incident will materially impact its finances. The company attributed the persistent intrusion to an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.
The SVR, known as Cozy Bear, was also behind the SolarWinds breach. In the initial announcement of the hack, Microsoft mentioned that it removed the hackers' access from compromised accounts around January 13 but acknowledged the foothold the hackers had established. The latest disclosure aligns with a new US Securities and Exchange Commission rule compelling publicly traded companies to disclose breaches that could negatively impact their business, highlighting the increasing scrutiny on cybersecurity incidents.