Microsoft’s announcements around Midnight Blizzard’s campaign against it have been like a slow reveal that gets worse with each new twist.

Microsoft originally named Midnight Blizzard as being behind the attack, which it said commenced in late November 2023. The group used a simple password spray technique to gain a foothold in its network with what Microsoft described as a “legacy non-production test tenant account.”

At that time, the attack was said to have targeted senior Microsoft executives but was still believed to be limited in scope. However, in a more recent update in March the assessment had darkened with the company admitting the attackers had gained access to internal systems and source code.

There is a longer-term pattern at work with the company publishing a warning in August 2023 that Midnight Blizzard was targeting Microsoft customers through social engineering attacks on Microsoft Teams.

Who is Midnight Blizzard?

Associated by the US and UK with the Russian SVR Foreign Intelligence Service, Midnight Blizzard is known by several nicknames depending on which security vendor is doing the naming. Other names include Nobelium, APT29, and Cozy Bear, the last made famous in 2016 when it was blamed along with a second Russian group, Fancy Bear, for breaching servers belonging to the Democratic National Committee (DNC).