Russia hacks Microsoft: It’s worse than you think

Another day, another hack of Microsoft technology. Ho-hum, you might think, this has happened before and will happen again — as surely as the sun rises in the morning and sets at night.

This time is different. Because this time the targets weren’t Microsoft customers, but rather the top echelons of Microsoft itself. And the hacker group, called Midnight Blizzard, or sometimes Cozy Bear, the Dukes, or A.P.T. 29, is sponsored by Russia’s Foreign Intelligence Service (and has been since at least 2008).

And this time, the hack might persuade the federal government to finally take a harder line against Microsoft’s and Windows’ continuing vulnerabilities.

To understand why, let’s start with look at the hack itself.

Hacked by a simple, basic trick

Midnight Blizzard is well known for its sophisticated cyberattack capabilities, including the Solar Winds supply-chain attack in which it broke into the company, which offers system management tools used for network and infrastructure monitoring, and embedded malware into Solar Winds’ software. That malware was then distributed to thousands of the company’s customers, among them eight or more federal agencies, including the US Department of Defense, Department of Homeland Security, and the Treasury Department, and tech and security firms, including Intel, Cisco, and Palo Alto Networks.

Microsoft said that hack was “the most sophisticated nation-state cyberattack in history.” The hack also involved infiltrating Democratic National Committee servers, stealing emails and documents, and releasing them publicly.

This time around, though, Midnight Blizzard didn’t have to build a sophisticated hacking tool. To attack Microsoft, it used one of the most basic of basic hacking tricks, “password spraying.” In it, hackers type commonly-used passwords into countless random accounts, hoping one will give them access. Once they get that access, they’re free to roam throughout a network, hack into other accounts, steal email and documents, and more.

In a blog post, Microsoft said Midnight Blizzard broke into an old test account using password spraying and then used the account’s permissions to get into “Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions,” and steal emails and documents attached to them.

The company claims the hackers initially targeted information about Midnight Blizzard itself, and that “to date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.”

As if to reassure customers, the company noted, “The attack was not the result of a vulnerability in Microsoft products or services.”

That should reassure no one. Midnight Blizzard succeeded because Microsoft violated two basic cybersecurity rules: Make sure all accounts use powerful passwords, and close all unused accounts. If the company can’t follow such simple rules, you might wonder whether it can be trusted to protect its customers against hacking.

And note that Microsoft didn’t promise Midnight Blizzard hasn’t used its access to break into its customers’ networks, or even more frightening, into its AI systems. It only said that “to date” it’s found no evidence of that, and that it’s still investigating.

Why this is more than just a black eye

The hack, especially because it was accomplished so easily, is a black eye for Microsoft. But it’s even worse. It comes after a series of high-profile hacks of Microsoft technologies that angered the feds so much they’ve been looking into Microsoft’s security protocols.

The Washington Post writes: “Government officials and outside security experts have repeatedly called out weak authentication requirements, test accounts and the ease in creating new accounts as major holes in Microsoft service protections…. Friday’s disclosure also comes during investigations by the Department of Homeland Security’s cyber safety review board and others into lapses in Microsoft security that allowed Chinese government hackers to steal unclassified email from top US diplomats ahead of a summit between the two nations last year.”

At a speech at Carnegie Mellon University last year, Cybersecurity and Infrastructure Security Agency Director Jen Easterly criticized Microsoft because only about a quarter of its enterprise customers use multifactor authentication. It’s exceedingly rare that federal officials publicly target companies that way.

At around the same time, the Biden Administration released a new National Cybersecurity Strategy that calls on tech firms and private industry to follow best security practices such as patching systems to fight newly found vulnerabilities and using multifactor authentication whenever possible.

An accompanying fact sheet warns: “Poor software security greatly increases systemic risk across the digital ecosystem and leave American citizens bearing the ultimate cost. We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software.”

This latest Microsoft hack seems to be a textbook case of violating that strategy. But the strategy requires legislative action if it’s to have teeth, and when it comes to regulating tech, Congress is decidedly hands-off. At the moment, violating the strategy appears to get you little more than a finger-waving “shame on you.”

That inaction isn’t likely to last forever. Republicans and Democrats have both made tech companies their latest whipping boy. And Microsoft, which gets billions of dollars in federal contracts, including $150 million to improve cloud security, could eventually see some of its contracts cancelled if it doesn’t even adhere to the simplest of cybersecurity precautions. (Sen. Ron Wyden (D-OR), has already threatened he might do just that.)

This latest hack of Microsoft could just be the thing that makes Congress finally take action.