Two said that more than 10 companies, and perhaps far more, are expected to come forward. The experts asked not to be named so as to maintain relations with the victims.
The Securities and Exchange Commission last year strengthened the rules that require companies to notify their stockholders of computer intrusions that could have a material impact on company results. That helped spur the recent disclosures.
Microsoft, HPE and the experts said that Russia’s SVR foreign intelligence service have been inside the targeted companies for months. It was not clear whether the Russians had used the same technique repeatedly to gain access to the companies’ systems.
The SVR team, which Microsoft calls Midnight Blizzard, is regarded as one of the most proficient hacking forces in the world. Microsoft said the Russian agency had gotten a foothold inside its network by trying the same password on test accounts over and over until it found a match.
While that is a rudimentary attack, the company said it was made harder to spot because the login attempts came from a number of different places. Once inside, the hackers created new accounts and new apps with more internal powers.
Also known as Cozy Bear, the group last made international news for getting inside the software provider SolarWinds. It altered that company’s code, giving itself an entryway when federal agencies that were SolarWinds customers installed it.
“What sets this group apart is its remarkable combination of discretion, patience, and unwavering persistence, distinguishing them from other cyberthreat actors also funded and acting on behalf of nation-states,” said Aric Ward, a former threat analyst at the White House. “Their low profile is indicative of a stealthy and adept approach, making it clear that their actions persist even if they remain elusive from public scrutiny.”
The Microsoft and HPE breaches are especially concerning because so many other companies and agencies rely on them for cloud services, including email. It is not yet known whether the hackers were able to use their access to Microsoft’s systems to conduct attacks on other companies.
Eric Goldstein, the top cybersecurity official at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said it was working to learn more about the attack and its potential impact.
“As noted in Microsoft’s announcement, at this time we are not aware of impacts to Microsoft customer environments or products,” Goldstein said.
Alex Stamos, a security executive at competitor SentinelOne, said Microsoft’s most recent blog post indicated the company had used a detection technique that only works on Microsoft-hosted cloud services. Stamos wrote on LinkedIn that this suggested that multiple targets had been hit with an attack method that works against Microsoft’s system for authorizing access, now called Entra and formerly known as Azure Active Directory.
Microsoft said that the SVR searched through the email of its cybersecurity experts to find out what they knew about the Russian organization, which may reflect the company’s effectiveness in helping Ukraine deter cyberattacks since the invasion two years ago.
“It’s their goal to penetrate systems of interest to them, but given Microsoft’s role in the world and how helpful they have been to Ukraine, they’re going to be a target,” said George Barnes, who recently retired as the deputy director of the National Security Agency.
The Microsoft executives’ emails are also likely to contain conversations with government officials that would be useful for foreign intelligence agencies.
