SAN FRANCISCO, REUTERS – Microsoft claims that an attacker gained access to one of its customer-service agents. He then used the information to launch hacking attacks against customers.
On Friday, June 25, the company stated that it discovered the compromise in its response to hacks from a team responsible for previous major breaches at SolarWinds or Microsoft.
Microsoft stated that it had notified affected customers.
Reuters obtained a copy of one warning that said the attacker belonged to the group Microsoft calls Nobelium and that it had access to the site during the second half of May.
The warning states that “A sophisticated nation-state associated actor Microsoft identifies to be NOBELLIUM accessed Microsoft Customer Support Tools to review information about your Microsoft Services subscriptions.”
The US government has publicly blamed the Russian government for the attacks, which it denies.
Microsoft made the announcement publicly after Reuters inquired about it.
Microsoft commented on a wider phishing campaign that had compromised a few entities. However, it claimed it had also discovered the breach of its agent, who, it said, had limited powers.
An agent could view billing contact information, as well as what services customers have paid for.
Microsoft stated that the actor had used some of this information to launch highly targeted attacks as part of a broader campaign.
Microsoft advised affected customers to be cautious about communication to their billing contacts. They suggested that they change usernames and email addresses and bar old usernames from logging into Microsoft.
Microsoft claimed that it knew of three compromised entities in the phishing attack.
It was not immediately clear if any of the data had been viewed by the support agent or if a broader campaign tricked the agent.
Microsoft didn’t say whether the agent was a contractor or an employee.
A spokesperson said that the latest attack by the threat actor wasn’t part of Nobelium’s previous successful attack against Microsoft. In which it gained some source code, the attacker was unsuccessful.
The SolarWinds attackers altered the code of the company to gain access to SolarWinds customers. This included nine US federal agencies.
According to the Department of Homeland Security, attackers used weaknesses in Microsoft’s programs to attack SolarWinds customers and others.
Microsoft later claimed that the group had compromised its employee accounts and taken software instructions regarding how Microsoft verifies user identities.
Officials from the White House said that the latest intrusion and phishing campaign were far less serious than the SolarWinds disaster.
The official stated that the operation appeared to have been largely unsuccessful and was a typical example of run-of-the-mill espionage.
Scott McConnell, a spokesperson for Homeland Security’s Cybersecurity and Infrastructure Security Agency, said that the group worked with Microsoft and its interagency partners to assess the impact. We are ready to help any affected entities.”
