More companies expected to disclose email hacks by Russian intelligence

More companies expected to disclose email hacks by Russian intelligence

Security experts expect many more companies to disclose that they’ve been hacked by Russian intelligence agents who stole emails from executives following disclosures by Microsoft and Hewlett-Packard Enterprise in the past week.

Microsoft said late Thursday that it had found more victims and was in the process of notifying them. A spokesperson declined to say how many. But three experts in and out of government said that the attack was deeper and broader than the disclosures to date reveal.

Two said that more than 10 companies, and perhaps far more, are expected to come forward. The experts asked not to be named so as to maintain relations with the victims.

Changed Securities and Exchange Commission rules are driving the disclosures because the SEC now requires companies to notify their stockholders of computer breaches that could have a material impact on company results.

Microsoft, HPE and the experts said that Russia’s SVR foreign intelligence service have been inside the targeted companies for months. It was not clear whether the Russians had used the same technique repeatedly to gain access to the companies’ systems.

The SVR team, which Microsoft calls Midnight Blizzard, is regarded as one of the most proficient hacking forces in the world. Microsoft said the Russian agency had gotten a foothold inside its network by trying the same password on test accounts over and over until it found a match.

While that is a rudimentary attack, the company said it was made harder to spot because the login attempts came from a number of different places. Once inside, the hackers created new accounts and new apps with more internal powers.

Also known as Cozy Bear, the group last made international news for getting inside the software provider SolarWinds. It altered that company’s code, giving itself an entryway when federal agencies that were SolarWinds customers installed it.

“What sets this group apart is its remarkable combination of discretion, patience, and unwavering persistence, distinguishing them from other cyberthreat actors also funded and acting on behalf of nation-states,” said Aric Ward, a former threat analyst at the White House. “Their low profile is indicative of a stealthy and adept approach, making it clear that their actions persist even if they remain elusive from public scrutiny.”

The Microsoft and HPE breaches are especially concerning because so many other companies and agencies rely on them for cloud services, including email. It is not yet known whether the hackers were able to use their access to Microsoft’s systems to conduct attacks on other companies.

Alex Stamos, a security executive at competitor SentinelOne, said Microsoft’s most recent blog post indicated the company had used a detection technique that only works on Microsoft-hosted cloud services. Stamos wrote on LinkedIn that this suggested that multiple targets had been hit with an attack method that works against Microsoft’s system for authorizing access, now called Entra and formerly known as Azure Active Directory.

Microsoft said that the SVR searched through the email of its cybersecurity experts to find out what they knew about the Russian organization, which may reflect the company’s effectiveness in helping Ukraine deter cyberattacks since the invasion two years ago.

“It’s their goal to penetrate systems of interest to them, but given Microsoft’s role in the world and how helpful they have been to Ukraine, they’re going to be a target,” said George Barnes, who recently retired as the deputy director of the National Security Agency.

The Microsoft executives’ emails are also likely to contain conversations with government officials that would be useful for foreign intelligence agencies.

The Cybersecurity and Infrastructure Security Agency, the Homeland Security unit that tracks computer intrusions, did not respond to a request for comment.