Microsoft’s cybersleuths haven’t been able to expel the Cosy Bears. Photo: Getty

Microsoft says it’s still trying to evict the elite Russian government hackers who broke into the email accounts of senior company executives in November.

It says the hackers have been trying to breach customer networks with stolen access data.

The hackers from Russia’s SVR foreign intelligence service used data obtained in the intrusion, which it disclosed in mid-January, to compromise some source-code repositories and internal systems, the software giant said in a blog and a regulatory filing.

A company spokesman would not characterise what source code was accessed and what capability the hackers gained to further compromise customer and Microsoft systems.

H-P hit too
Microsoft said on Friday that the hackers stole “secrets” from email communications between the company and unspecified customers – cryptographic secrets such as passwords, certificates and authentication keys – and it was reaching out to them “to assist in taking mitigating measures”.

Cloud-computing company Hewlett Packard Enterprise disclosed on January 24 that it, too, was an SVR hacking victim and it had been informed of the breach – without revealing by who – two weeks earlier, coinciding with Microsoft’s discovery it had been hacked.

“The threat actor’s ongoing attack is characterised by a sustained, significant commitment of the threat actor’s resources, co-ordination, and focus,” Microsoft said on Friday.

It added that the hackers could be using obtained data “to accumulate a picture of areas to attack and enhance its ability to do so”.

Cybersecurity experts said Microsoft’s admission the SVR hack had not been contained exposed the perils of the heavy reliance by government and business on the Redmond, Washington, company’s software monoculture – and the fact that so many of its customers were linked through its global cloud network.

“This has tremendous national security implications,” said Tom Kellermann of the cybersecurity firm Contrast Security.

“The Russians can now leverage supply chain attacks against Microsoft’s customers.”

Amit Yoran, the CEO of Tenable, also issued a statement, expressing both alarm and dismay.

Not isolated breaches
He is among security professionals who find Microsoft overly secretive about its vulnerabilities and how it handles hacks.

“These breaches aren’t isolated from each other and Microsoft’s shady security practices and misleading statements purposely obfuscate the whole truth,” Yoran said.

Microsoft said it had not yet determined whether the incident was likely to materially impact its finances.

It also said the intrusion’s stubbornness “reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”

The hackers, known as Cozy Bear, are the same hacking team behind the SolarWinds breach.

When it initially announced the hack, Microsoft said the SVR unit broke into its corporate email system and accessed accounts of some senior executives as well as employees on its cybersecurity and legal teams. It would not say how many accounts were compromised.

At the time, Microsoft said it was able to remove the hackers’ access from the compromised accounts on or about January 13.

It said they got in by compromising credentials on a “legacy” test account.


Link to article:


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Please do not use this for support questions.

Post Comment