In November 2023, an attack was initiated against Microsoft from the hacking group Midnight Blizzard, with links to Russian Intelligence agents in the SVR - the Russian equivalent of GCHQ - and this attack is still ongoing.
There is a common consensus that we have already entered a state of cold war against malicious actors such as Russia and China as characterised by continual instances of what is known as hybrid warfare.
This includes spying, assassinations and hacking. However, when one side attacks another party that does not initiate their own attacks and mounts a less than adequate defence in response, this is not typically described as “warfare”.
Could the current situation be more accurately described as a Hybrid Beating or Hybrid Bullying? Instead of a new Cold War is this more like a Cold Slap and how can individual businesses protect themselves from these threats and what can government agencies do to combat these types of attacks?
How did the Attack on Microsoft Happen?
The attack on Microsoft from the hacking group Midnight Blizzard (also known as Cozy Bear and Nobelium) was not particularly sophisticated or difficult to prevent, which is unfortunate for Microsoft as it suggests that they do not practise what they preach in carrying out their own recommended policies.
The Russian state-sponsored hacking group targeted an inactive legacy account in Microsoft Office 365 tenant using a relatively simple Password Spray method to gain access to employees’ emails.
What is a Password Spray?
The password spray method as the name suggests, is not particularly sophisticated and involves continually firing off random passwords at the login screen, normally through the use of bots that will try every combination of letters and numbers possible until they happen to chance across the correct password and the system lets them in.
In terms of home security, this would be like a burglar making thousands of randomly shaped keys and trying each one until your front door was eventually unlocked.
Which Simple Protection Methods Can Businesses Use to Prevent Password Spray Attacks?
Quite disappointingly, there are several simple solutions that companies such as Microsoft can carry out to stop password spray attacks. To avoid your business being impacted by a similar threat, any of the below methods would help.
Two-factor Authentication
With two-factor authentication, a simple password alone would not be enough to gain access, with a separate code or other secure method of identification needed. So in this case, even if the hackers chanced across the correct password they would not be able to do anything without, for example, the employee’s mobile phone and corresponding code that was sent to it.
Automatic Lockout on Failed Attempts
With many user accounts these days, as most people will be all too aware, there is an automatic lockout function where after, for example, three failed attempts to enter a password, the system will lock you out and further verification will be needed.
Highly annoying when it happens to a genuine user who has simply misentered their password a few times, but it would have prevented a password spray-type attack as the fake user would be locked out and unable to continue entering passwords thousands of times in succession.
Patch Management and Vulnerability Management
Using effective vulnerability scanning and patch management solutions, companies can highlight old legacy software and any potential risks or vulnerabilities.
At Lyon, we provide full system scanning and monitoring with patch management and vulnerability assessment tools that highlight issues with old software, automatically patch or update them or notify the user of any potential risks and what steps should be taken to mitigate these.
With solutions such as those provided by Lyon Tech, our clients can rest assured that these types of cyber attacks would have a significantly lower chance of affecting their business.
The Risk of Compromised Corporate Email Accounts - What Happened Next for Microsoft?
It is important to remember that while the initial method of data breach was rudimentary and unsophisticated, the hackers using this method are not - these are basically agents of the Russian Intelligence Service, SVR, and arguably some of the most experienced and well-trained hackers in the world.
With access to corporate email accounts now they have a backdoor into your company and from there can wreak all sorts of havoc.
Email accounts in themselves are high-privilege accounts and are often used as a main source of verification for access to other services and setting up new accounts. How many times have you attempted to access a website or service and are asked for your email address/password then everything is good to go?
Furthermore, the personnel whose emails were compromised were in very high-level and significant positions such as the senior leadership team, cybersecurity and legal departments.
With access to these accounts, the hacking group Midnight Blizzard were able to get hold of sensitive information and also find out what is known about them and what steps are being taken to combat them from a cybersecurity or legal standpoint.
Among the sensitive data, the hackers were able to gain access to parts of the source code for Microsoft software which is highly valuable and provides further ability for the hackers to exploit and manipulate their internal systems.
Reading through the corporate emails, the hackers were also able to learn trade secrets about Microsoft customers that were written in plain text in the body of emails sent between staff members and customers.
When you consider that Microsoft’s customers include entities such as the US Government, the nature of these secrets being shared could be highly valuable and sensitive.
How Could the Damage Have Been Mitigated Following the Initial Data Breach?
Even once a malicious actor or unauthorised user has gained access to network accounts, there are certain security procedures that could have been in place that would have contained the threat and prevented further damage.
Do Not Write Company Secrets in Plain Text
The main issue here is in writing down the company’s important trade secrets in plain text format in an email that a person can get hold of and physically read through the contents.
Using end-to-end encryption the valuable contents of emails such as these can be scrambled so that they would be indecipherable without the correct “cypher” or decryption key.
For highly sensitive data, however, it is highly recommended that emails should not be used for this and another more secure medium employed. Specific applications are available for managing and sharing company secrets securely and biometric identifiers are more likely to ensure that the person reading the text is the authorised user.
Implications for Microsoft—How Does the Cyber Attack Reflect on Their Reputation?
Of course, with any large-scale data breach where customers’ data is compromised, there is always reputational damage.
However, while it may seem highly negligent of Microsoft to be successfully attacked by a relatively simple method, it should be noted that Microsoft is a large company and as such is a key target for such hackers with state-funded resources supplied to conduct their activities. The current cyber attack started in November 2023 and is still ongoing today, so the hacking group certainly has a lot of time, money and personnel invested in the process.
Also, for a large company such as Microsoft, it can be difficult to protect everything and even relatively simple cybersecurity protocols can be difficult to maintain at that scale.
Effective cybersecurity awareness training for staff members is essential to ensure they do not fall into bad habits and risky practices such as emailing passwords and company secrets in plain text format.
What Can State Authorities and Government Agencies Do to Combat These Threats?
The recent attack on Microsoft was a state-sponsored cyber attack funded and carried out by Russian intelligence it seems. We have our own intelligence services, surely they can counteract this in some way—so what can the intelligence and security services of Western nations do, and what are they currently doing, to combat these types of threats on a global scale?
In the UK, intelligence services such as MI5 and GCHQ will be working continually to disrupt state-sponsored hackers and protect commercial and political entities, with similar organisations operating in the US such as the CIA.
It is important to remember that these large-scale attacks that make it into the news will only be the tip of the iceberg and for every data breach story you hear about, there could be thousands of similar plots that were prevented or foiled in some way.
Intelligence services such as MI5, GCHQ, etc. will not publicise details on any specific cases they are working on, but they will keep the public updated with briefings on their assessment of the overall threat level from certain state actors, based on the findings from their own experience of detecting and attempting to combat these threats.
The head of MI5, for example, recently provided an overview of threats from Iran, China, and Russia based on an analogy of football players and managers—explaining roughly how their hacking and espionage tactics worked and how they differed from each other, in broad terms.
Organisations such as GCHQ, MI5, CIA, etc. will certainly be doing their bit to detect the activity of these hacking groups, trace the origins of the data breaches and work to prevent their effects, especially on home soil. In 2016 the National Cyber Security Centre was created as an offshoot of GCHQ to protect infrastructure and businesses specifically.
What about offensive measures though, are there similar bodies that will hack into enemy states or criminal gangs on behalf of the government?
NCF Set Up for Offensive Operations
In April 2020, the foundation of the National Cyber Force was completed and later announced publicly in the same year. Unlike the National Cyber Security Centre, the NCF was set up with the intention of carrying out offensive operations.
What does this mean essentially—hacking into and disrupting the activities of enemy state actors, terror groups, and criminal networks.
Under UK law, government-sponsored and directed hacking is legal, although there are certain concerns surrounding the data privacy and transparency of such operations.
Whilst specific operational details will of course remain secret, these organisations have been known to disrupt communications equipment used by terror groups and take down botnets and factories of hackers.
This type of activity may have been ongoing for several years, but the only publicly disclosed use of offensive hacking by the UK Government was one instance in 2016 when a similar agency to NCF was used to hack into and take down communications equipment used by ISIS.
A similar organisation exists in the US called US Cyber Command, which apparently disrupted one of the world's largest botnets known as Trickbot. They managed to hack into the servers and add fake data into all the passwords and financial details they had gathered, rendering them useless.
During the 2018 midterm elections, Cyber Command was also apparently responsible for taking down one of Russia’s propaganda machines by cutting their Internet access.
Equivalent Foreign Soil Attacks
Of course, while these incidents listed are examples of Western governments in the UK and US carrying out offensive hacking operations against various groups, these are all conducted as yet on home soil in our own territories.
To what extent would the UK Government carry out equivalent attacks on say Russian soil and interfere with their activities and business infrastructure?
Most likely, these types of activities from UK forces would be few in number. There was an alleged incident of hacking into a telecoms firm to get details on EU negotiations in 2013 but for the most part, you do not hear of these sorts of stories, for one of two reasons—either they are not happening in the first place or the people carrying out these UK launched cyber offences are just very good at what they do.
The likelihood of say GCHQ or an associated department hacking into Russian power plants to cut the electricity to Moscow, for example, would be very small.
This sort of activity, if uncovered, plays perfectly into the narrative of Putin that the West is constantly making attempts to destroy the Russian state and its way of life, etc.
Furthermore, the world is poised in a very tense and delicate geopolitical situation with superpowers and their allies involved in various conflicts with each other, so understandably, world leaders would not want to be found guilty of taking some aggressive action in cyberspace against say Russia or China that would then fall back on them, damage their countries reputation or further escalate any present conflict.
With the current cyber attack from Midnight Blizzard still ongoing, however, it is clear that these types of malicious organisations pose a significant threat to any businesses operating in the UK and US.
Lyon Tech Services That Can Prevent Cyber Attacks and Data Breaches of This Nature
At Lyon Tech, we provide businesses with a range of technological solutions that would help prevent or mitigate the effects of this kind of data breach attempt as used by Russian hacking group Midnight Blizzard in the recent incident.
Our range of cybersecurity services that would help in this instance include
-
Secure cloud data storage
-
End-to-end encryption
-
Staff awareness training
-
Vulnerability scanning
-
Patch management
-
24/7 security system monitoring
-
Live infrastructure analysis and intrusion detection
Contact Lyon
For more information on protecting your business from password spray methods and other more sophisticated forms of cyber attack, contact our expert cyber security team.
We can take you through the most suitable solutions for your business needs and advise which defensive measures would be the most cost-effective options for your company.
If you have any questions with regards to data breaches, cybersecurity and creating a robust defence for your business, contact Lyon Tech and our expert advisors would be more than happy to answer any questions you may have.