Microsoft has revealed that the Russian hacking group Midnight Blizzard, also known as Cozy Bear, which infiltrated its systems, has also been targeting other organizations. The group gained access to Microsoft's systems by plugging in numerous passwords to gain access to a "legacy, non-production test tenant account" at Microsoft, likely for the company's Azure cloud service. Additionally, the same account did not enable two-factor authentication, which allowed the hackers to easily obtain access after they had figured out the password.

Microsoft has stated that there is no evidence that the threat actor had access to customer environments, production systems, source code, or AI systems. The company has also said that the Russian hackers used evasion techniques to ensure they could persist the attack over time until successful. To make it appear as though the login attempts were coming from within the US rather than from abroad, the hackers utilized a residential internet proxy.

The hackers were able to access a test account, according to Microsoft, but even with that, they were able to access a potent OAuth application "that had elevated access to the Microsoft corporate environment." The OAuth application is widely used in the tech industry so that one website can share data to another, without needing a password. Executives' email accounts were compromised by Midnight Blizzard thanks to an OAuth application vulnerability. Seemingly, the objective was to learn what Microsoft knew about Midnight Blizzard, a hacker collective that the US and its allies believe has ties to the Russian Federation.

Microsoft has identified that the same actor has been targeting other organizations and has begun notifying these targeted organizations. The company did not identify the other organizations under threat. However, days earlier, Hewlett Packard Enterprise notified investors that Midnight Blizzard was able to breach its own email system sometime last year.

In summary, the Russian hacking group Midnight Blizzard has been targeting other organizations besides Microsoft. The group gained access to Microsoft's systems by plugging in numerous passwords to gain access to a "legacy, non-production test tenant account" at Microsoft. Additionally, the same account did not enable two-factor authentication, which allowed the hackers to easily obtain access after they had figured out the password. Microsoft has stated that there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.