Identity Security and the Midnight Blizzard Attack

Published Jan 23 and updated March 14th

The phrase “identity is the new perimeter” has been used so often in cybersecurity circles that it has become cliché. But every day, another headline-grabbing, identity-based attack proves how true the phrase is.

On Friday, January 19th, news broke that Microsoft was the target of a cyberattack by a Russia-backed group known as “Midnight Blizzard,” also called “Nobelium.” It’s the same group responsible for the SolarWinds hack. The attack began in late November and was detected by the company’s security team on January 12, 2024. 

On Friday, March 8th, Microsoft subsequently disclosed that the threat actor managed to gain access to some of its source code repositories and internal systems. Microsoft also noted that password spray attacks increased by as much as tenfold in February compared to the already high volume of attacks in January.

Based on what has been published about the attack, the malicious actors initially carried out a password spray attack to compromise a legacy non-production test tenant account. Once they gained a foothold through a valid account, they used its permissions to access a small percentage of the company’s corporate email user accounts, including those of senior leadership and employees in cybersecurity and legal departments. They then exfiltrated sensitive information, including emails and attached documents. 

Microsoft still has not disclosed the full scale of the compromise, although it has reached out to affected customers. It’s still not clear what source code was accessed.

It’s important to note that if a tech giant with the largest market cap in the world as of March 2024, with its vast resources and advanced security measures, can fall victim to such an attack, any organization could potentially be at risk. The incident is not about pointing fingers or victim shaming but rather a wake-up call for all organizations, big or small.

It underscores the fact that cybersecurity is a shared responsibility and an ongoing effort. No organization is immune and must proactively secure its digital identities to reduce risk. The key takeaway is not the breach itself, but the lessons learned and the measures implemented to prevent such attacks in the future.

One important lesson is the importance of adhering to the best practices recommended by an organization’s identity and access management (IAM) providers. These vendors provide guidelines to help organizations fortify their identity infrastructure and reduce the attack surface. Many IAM vendors also offer health check services designed to assess the robustness of an organization’s current security posture for their particular solution.

However, given the complexity of most environments, relying solely on the best practices from vendors who provide your identity controls is not sufficient. The incident also highlights the need for continuous monitoring with identity security posture management solutions that enable organizations to discover and resolve identity exposures that involve multiple systems before a threat actor like Midnight Blizzard can exploit them. A more proactive approach could have flagged the following exposures:

• A legacy non-production system with valid accounts that enabled access to production systems
• Accounts protected with weak credentials
• Accounts accessed without multi-factor authentication (MFA) controls in place

That said, organizations also need deeper identity context to detect and respond to identity-related risks in real-time since not every identity exposure can be found and remediated proactively. Solutions like AuthMind can deliver identity threat detection and response (ITDR) capabilities alongside ISPM, all from a single platform. 

ITDR solutions complement SOC tools like security information and event management (SIEM) and extended detection and response (XDR) systems by providing identity alert correlation and detection logic to identify and contain identity threats rapidly. This includes detecting the password spray attack, which was the initial entry point in this incident.

The Midnight Blizzard cyberattack underscores the criticality of securing digital identities to reduce the risk of data breaches. The cliché "identity is the new perimeter" rings true more than ever, with the recent attacks serving as a stark reminder of the importance of robust ISPM and ITDR solutions alongside existing identity and cyber security controls as part of a defense-in-depth strategy.