午夜暴风：俄罗斯APT组织袭击微软高管电子邮件

Microsoft on Friday revealed that it was the target of a nation-state attack on its corporate systems that resulted in the theft of emails and attachments from senior executives and other individuals in the company's cybersecurity and legal departments.

微软在周五透露，其公司系统成为一个国家级攻击的目标，导致高级执行人员以及公司网络安全和法务部门的其他个人的电子邮件和附件被盗。

The Windows maker attributed the attack to a Russian advanced persistent threat (APT) group it tracks as Midnight Blizzard (formerly Nobelium), which is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes.

这家Windows制造商将此次攻击归因于一个俄罗斯的高级持续威胁（APT）组织，其跟踪为午夜暴风（前身为Nobelium），也被称为APT29、BlueBravo、Cloaked Ursa、Cozy Bear和The Dukes。

It further said that it immediately took steps to investigate, disrupt, and mitigate the malicious activity upon discovery on January 12, 2024. The campaign is estimated to have commenced in late November 2023.

公司进一步表示，在发现这一恶意活动后，立即采取措施进行调查、打断并减轻，发现时间为2024年1月12日。该攻击活动估计始于2023年11月底。

"The threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account's permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents," Microsoft said.

“威胁行为者使用密码喷洒攻击来破坏一个遗留的非生产测试租户帐户，并获得立足点，然后使用该帐户的权限访问微软公司电子邮件帐户的极小部分，包括我们的高级领导团队成员以及我们网络安全、法务等部门的员工，并窃取了一些电子邮件和附加文件，”微软表示。

Redmond said the nature of the targeting indicates the threat actors were looking to access information related to themselves. It also emphasized that the attack was not the result of any security vulnerability in its products and that there is no evidence that the adversary accessed customer environments, production systems, source code, or AI systems.

雷德蒙德表示，攻击的目标性质表明威胁行为者正在寻找与其自身相关的信息。它还强调，此次攻击并非其产品中任何安全漏洞的结果，也没有证据表明对手访问了客户环境、生产系统、源代码或AI系统。

The computing giant, however, did not disclose how many email accounts were infiltrated, and what information was accessed, but said it was the process of notifying employees who were impacted as a result of the incident.

然而，这家计算机巨头并未透露有多少电子邮件帐户被渗透，以及访问了哪些信息，但表示正在通知受到事件影响的员工。

The hacking outfit, which was previously responsible for the high-profile SolarWinds supply chain compromise, has singled out Microsoft twice, once in December 2020 to siphon source code related to Azure, Intune, and Exchange components, and a second time breaching three of its customers in June 2021 via password spraying and brute-force attacks.

黑客组织，此前负责引起备受关注的SolarWinds供应链妥协，两次将目标锁定在微软身上，一次是在2020年12月，窃取与Azure、Intune和Exchange组件相关的源代码，第二次是在2021年6月通过密码喷洒和暴力攻击侵入三个其客户。

"This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard," the Microsoft Security Response Center (MSRC) said.

“这次攻击确实凸显了像午夜暴风这样的富有资源的国家级威胁行为者对所有组织构成的持续风险，”微软安全响应中心（MSRC）表示。

原文始发于微信公众号（知机安全）：午夜暴风：俄罗斯APT组织袭击微软高管电子邮件