By FRANK BAJAK (AP Technology Writer)
BOSTON (AP) — On Friday, Microsoft said it is still working to remove the elite Russian government hackers who illegally accessed the email accounts of top company executives in November. The hackers have been attempting to penetrate customer networks using stolen access data.
The hackers from Russia’s SVR foreign intelligence service utilized data obtained in the breach, which was revealed in mid-January, to infiltrate some source-code repositories and internal systems, Microsoft stated in a blog and a regulatory filing.
A company spokesperson declined to specify what source code was accessed and what capability the hackers gained to further compromise customer and Microsoft systems. Microsoft also mentioned that the hackers stole “secrets” from email communications between the company and unspecified customers — cryptographic secrets such as passwords, certificates, and authentication keys. The company was reaching out to these customers “to help take corrective actions.”
Cloud-computing company Hewlett Packard Enterprise disclosed on Jan. 24 that it, too, was a victim of SVR hacking and was informed of the breach two weeks earlier, coinciding with Microsoft’s discovery of the hack.
“The ongoing attack by the threat actor is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” Microsoft said Friday. It also mentioned that the acquired data could be used “to build a picture of areas to attack and improve its ability to do so.” Cybersecurity experts said Microsoft’s acknowledgment that the SVR hack had not been contained exposes the dangers of the heavy reliance by government and business on the Redmond, Washington, company’s software monoculture, and the interconnectedness of its global cloud network.
“This has tremendous national security implications,” said Tom Kellermann of the cybersecurity firm Contrast Security. “The Russians can now use supply chain attacks against Microsoft’s customers.”
Amit Yoran, the CEO of Tenable, also issued a statement, expressing both alarm and dismay. He is among security professionals who find Microsoft excessively secretive about its vulnerabilities and how it deals with hacks.
“We should all be angry that this keeps happening,” Yoran said. “These breaches aren’t isolated, and Microsoft’s dubious security practices and misleading statements intentionally confuse the whole truth.”
Microsoft mentioned it had not yet determined whether the incident is likely to significantly impact its finances. It also said the intrusion’s persistence “reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”
The hackers, known as Cozy Bear, are the same hacking team responsible for the SolarWinds breach.
When it initially announced the hack, Microsoft stated that the SVR unit broke into its corporate email system and accessed accounts of some senior executives as well as employees on its cybersecurity and legal teams. The company did not disclose how many accounts were compromised.
Microsoft stated that it managed to remove the hackers' access from the compromised accounts around Jan. 13. However, they already had a strong position by that time.
It reported that the hackers gained access by compromising credentials on a 'legacy' test account, but did not provide further details.
Microsoft's most recent announcement comes three months after a new U.S. Securities and Exchange Commission regulation went into effect, requiring publicly traded companies to disclose breaches that could harm their business.
