Last Friday after market close, Microsoft submitted an 8-K filing to the U.S. Securities and Exchange Commission (SEC) disclosing that Nobelium, a Russian hacking group, had gained access to its top executives’ email accounts, specifically targeting those in its cybersecurity and legal departments. The attack had been detected by Microsoft a week earlier and has since been determined by the company to have started in November 2023.
Microsoft shared news of the hack in a blog post, which emphasized the company’s commitment “to sharing more information and our learnings so that the community can benefit from both our experience and observations about the threat actor.”
In that spirit, what can we as outside observers learn from the most recent hack? It seems that the issues are at least threefold:
Cybersecurity shouldn’t be this hard. The basic techniques used by Nobelium are well known in the security space, making Microsoft’s security lapse all the more remarkable.
New SEC disclosure rules are already having an impact.
Persistent adversaries continue to operate with near impunity.
A Familiar Bad Actor
Nobelium is bad news. Also known as Midnight Blizzard, Cozy Bear, APT29, or The Dukes, Nobelium is considered by the U.S. government to be part of the Russian foreign intelligence service. The group was responsible for the 2020 espionage campaign against SolarWinds, which was a “master class in novel hacking techniques.” Nobelium compromised software updates to SolarWinds’s Orion Platform that were released to nearly 18,000 customers across both the federal government and the private sector, including Microsoft—which confirmed that its products were infiltrated as part of the hack. Both the U.S. government and Microsoft have since called this the most sophisticated cyberattack to date.
So the same group that hacked Microsoft last week also hacked them in 2020. It isn’t likely that was a surprise—from April 2021 to April 2023, Microsoft named Nobelium in each of its quarterly and annual filings with the SEC as a potential risk to the company, stating Microsoft “may be targets of further attacks” by the group.
This suggests two things: First, it’s fair to say that Microsoft saw them coming. Second, adversary groups are persistent. Notwithstanding the accurate threat intelligence, Nobelium still got in.
What’s different this time is how Nobelium got in. Unlike the highly sophisticated SolarWinds attack, the one disclosed last week was quite rudimentary, raising some questions about the attentiveness with which Microsoft addressed its own security. As some security experts have noted, Microsoft’s security “clanger [was] unbelievable.” More prosaically, as Sen. Ron Wyden (D-Ore.) told CyberScoop, it was “wholly avoidable.” The details are not pretty.
As Microsoft noted in its blog post, the Nobelium hack “was not the result of a vulnerability in Microsoft products or services.” While this is technically true (in that no formally identified vulnerability was exploited), it obscures the reality that the exploitation resulted from poor security practices within the Microsoft enterprise.
To begin with, the hack was the result of acts by the hackers who used a password-spraying assault. Password spraying is a very basic, brute force attack in which the malicious actor tries using a single common password against multiple accounts on the same system or application to gain access to users’ accounts. Recommended defenses against such attacks reflect the basics of cybersecurity, including enforcing strong, complex passwords, detecting suspicious login attempts, and establishing adequate lockout policies.
Nor are password attacks in some way unexpected. Vasu Jakkal, Microsoft’s corporate vice president of security, compliance, identity, and management, appeared on CNBC in November to discuss the sheer number of password attacks Microsoft customers are subjected to. She did so in the context of praising Microsoft’s new AI tools, which are intended to help “protect comprehensively” against techniques such as password sprays.
Second, Microsoft also disclosed that the Nobelium hackers had compromised a legacy nonproduction test tenant account, which is to say a dormant test account that was no longer in routine use. Industry best practices suggest that such accounts should be routinely purged, should never have been accessible from the outside, and should never be kept connected to active production accounts (like those of the senior leaders whose emails were compromised). For any technology company—let alone Microsoft, the world’s recently minted most valuable company—this was a misstep that was, at a minimum, poor cyber hygiene, if not worse.
The company’s Jan. 19 disclosure of Nobelium’s hack comes just one month after new SEC rules went into effect, requiring public companies to disclose material cybersecurity incidents within four business days of determining an incident is material. In its filing, Microsoft says it has not yet determined whether the incident is reasonably likely to impact its financial condition or results of operations in a material way.
Thus, the SEC disclosure is anodyne and far less detailed than the company’s blog post. But it is nonetheless quite notable, if only because one wonders about what the timing and content of Microsoft’s disclosure would have been in the absence of the SEC rule. At a minimum, we can note that the rule seems to have had the desired effect of alerting the public to the incident promptly (and perhaps more promptly than Microsoft would have wanted). We can also wonder if, going forward, the costs of greater transparency will exceed the benefits gained from disclosure. The rule might, for example, result in over-reporting of trivial events and generate significant response and monitoring costs without appreciably enhancing security.
Sadly, there is little chance of bringing any of the Nobelium hackers to justice. They will continue to hide behind a wall of Russian protection, and, at least for now, the prospect of making diplomatic advances with Russia appears virtually nonexistent. With little hope of imposing consequences on malicious actors, we are left to focus on improving our defensive measures.
This particular case is a job for the Cybersecurity and Infrastructure Security Agency’s Cyber Safety Review Board. The board, as it describes itself, serves “a deliberative function to review and assess significant cyber incidents and make concrete recommendations that would drive improvements within the private and public sectors.” The board already has an open inquiry into the Microsoft Exchange Online intrusion reported in July 2023.
The latest significant successful attack on Microsoft infrastructure certainly seems to qualify for additional scrutiny. Indeed, if Microsoft’s president, Brad Smith, is right, and the front line of Ukraine runs right through Redmond, then cybersecurity in Redmond is part of the national defense. A successful intrusion in Redmond (especially one that seems, on its face, so simplistic) is not just a risk to Microsoft; it’s a national security risk.
Were I on the Cyber Safety Review Board, here are some of the critical questions that I might ask:
How long has Nobelium been in Microsoft’s systems, and was Microsoft ever able to remove Nobelium from its systems after the SolarWinds hack?
Which executives did Nobelium target in this breach, and why?
Could Microsoft’s cybersecurity products have prevented this? If so, why weren’t they being utilized?
With Microsoft’s dominance of the U.S. government office productivity software market, what are the national security implications of this hacking campaign—and the inevitable campaigns to come—being successfully executed against Microsoft? Are Microsoft’s government customers more secure than Microsoft itself?
Microsoft is right to suggest in its blog that the technology community carefully review and learn from each and every incident. A thorough examination by the board would help.