By FRANK BAJAK (AP Technology Writer)
BOSTON (AP) — Microsoft stated on Friday that it is still attempting to remove the elite Russian government hackers who infiltrated the email accounts of senior company executives in November. It also mentioned that these hackers have been trying to penetrate customer networks using stolen access data.
The hackers from Russia’s SVR foreign intelligence service utilized information from the intrusion, which was revealed in mid-January, to compromise some source-code repositories and internal systems, according to the software giant's blog and a regulatory filing.
A company spokesperson declined to specify which source code was accessed and what capabilities the hackers gained to further compromise customer and Microsoft systems. Microsoft explained on Friday that the hackers obtained “secrets” from email communications between the company and unspecified customers, such as passwords, certificates, and authentication keys. They stated that they were reaching out to help these customers “take mitigating measures.”
Cloud-computing company Hewlett Packard Enterprise also disclosed on Jan. 24 that it was targeted by SVR hackers and had been made aware of the breach two weeks earlier, concurrent with Microsoft’s discovery of being hacked.
“The threat actor’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus,” Microsoft mentioned on Friday. They added that the hackers could be using acquired data “to accumulate a picture of areas to attack and enhance its ability to do so.” Cybersecurity experts stated that Microsoft’s acknowledgment that the SVR hack has not been contained exposes the risks of heavy reliance on the company’s software and the fact that many of its customers are connected through its global cloud network.
“This has tremendous national security implications,” said Tom Kellermann from the cybersecurity firm Contrast Security. “The Russians can now leverage supply chain attacks against Microsoft’s customers.”
Amit Yoran, the CEO of Tenable, also released a statement, expressing both alarm and dismay. He is among security professionals who feel that Microsoft is excessively secretive about its vulnerabilities and how it deals with hacks.
“We should all be furious that this keeps happening,” Yoran stated. “These breaches are not independent from each other, and Microsoft’s questionable security practices and ambiguous statements intentionally obscure the complete truth.”
Microsoft mentioned that it has not yet determined whether the incident is likely to materially impact its finances. They also stated that the persistence of the intrusion “reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.”
The hackers, called Cozy Bear, are the same hacking team responsible for the SolarWinds breach.
When it initially announced the hack, Microsoft mentioned that the SVR unit infiltrated its corporate email system and accessed accounts of some senior executives, as well as employees on its cybersecurity and legal teams. They did not disclose the number of compromised accounts.
Microsoft mentioned that it managed to block the hackers' access from the hacked accounts around Jan. 13. However, by that time, the hackers had already established a strong position.
Microsoft said that the hackers gained access by using login details from an old test account, but they did not provide more details.
Microsoft revealed this information three months after a new U.S. Securities and Exchange Commission rule came into effect. The rule requires public companies to report breaches that could harm their business.
