New U.S. Securities and Exchange Commission rules, the topic of an upcoming Smart Industry program next month, went into effect in December—and two cyberattacks, one reported by software and internet services giant Microsoft Corp. just last week, tested those new SEC regulations.
Microsoft technically didn’t have to tell the SEC that it failed to apply basic cybersecurity protections to an email account and paid the price, but last week admitted the mistake anyway. This follows the much-publicized and expensive hack of Clorox last summer, which the company actually reported per the SEC guidelines before the rules went into effect in December.
Microsoft told the world that a Russian state-sponsored cybercrime group known as Midnight Blizzard gained a beachhead onto Microsoft’s network through a “password spray attack.”
See also: What’s in store in 2024 for cybersecurity, AI, and securely bridging the IT/OT gap
The breached account was a “test tenant” account, meaning it was probably used for testing and development purposes versus a live email account used by an employee on a regular basis. But the incident does show just how on top of things cybersecurity teams (including yours) need to be, because the smallest keyhole may open doors that really ought to remain shut.
Especially when the hackers are also known as Nobelium or APT29, tied to Russia’s Foreign Intelligence Service (SVR), and responsible for causing billions of dollars’ worth of damage to some of the world’s largest tech companies in the SolarWinds hack reported in 2020.
As explained by BleepingComputer, password spraying means collecting a list of potential login names and attempting to log into all of them with the same password. The hackers either eventually run out of passwords or hit paydirt and breach an account. And, as BleepingComputer also noted, this only works if the account doesn’t have additional protections like multifactor authentication.
The Russian hackers then used permissions attached to a hacked account to access corporate email accounts “including members of our senior leadership team and employees in our cybersecurity, legal, and other functions,” according to Microsoft’s notice.
See also: Cybersecurity in the spotlight: What recent attacks show about industry vulnerabilities, defenses
The hackers were apparently looking for information related to the state-sponsored group and stole emails with attached documents.
Microsoft did not under the new SEC reporting rules have to report the breach because, as stated in the Form 8-K filing dated Jan. 17, the hack “has not had a material impact on the Company’s operations.”
However, Microsoft also reported: “The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”
Tyler Farrar, CISO at cybersecurity firm Exabeam, told IndustryWeek that this is a wake-up call.
“The recent Microsoft email system breach serves as a critical reminder of the evolving complexities in cybersecurity. The attackers capitalized on the path of least resistance, exploiting a legacy, non-production account, underscoring the often-overlooked concept of latent security vulnerabilities within organizations,” Farrar said.
See also: Cybersecurity stakeholders praise AI executive order—but say it’s just a start
“This is a crucial learning point for the cybersecurity community. It reinforces the importance of adopting comprehensive, AI-enhanced security measures to proactively identify and mitigate hidden risks. Consider this event a stark reminder that in the digital age, vigilance, and advanced technology are key to safeguarding against sophisticated cyber threats,” Farrar added.
Cybersecurity heavyweights on Feb. 15
Two thought leaders in cybersecurity headline the Feb. 15 Smart Industry webinar: Michael Daniel, president and CEO of the Cyber Threat Alliance and President Obama’s former cybersecurity coordinator, and Richard Bird, chief information security officer (CISO) for Traceable AI, which offers industry solutions and advises manufacturing on cybersecurity, risk management, and data security.
See also: Robust cyber defenses depend on enough qualified staff to execute them
Prior to CTA, Daniel also served as cybersecurity coordinator on the National Security Council staff. In that role, he led the development and implementation of national cybersecurity strategy and policy; deterring and disrupting cyberattacks aimed at the U.S. and its allies; and improving the ability of the U.S. to respond to and recover from cyber incidents. He also helped craft the government’s response to significant cyber events, such the attack on Sony Pictures Entertainment, the intrusion into the Office of Personnel Management, and Russian efforts to meddle in U.S. elections.
Bird is a multi-time, C-level executive in the corporate and startup worlds and is internationally recognized for his insights, work, and views on cybersecurity, data privacy, digital consumer rights, and next-generation security topics. He is a sought-after speaker, particularly in translating cybersecurity and risk realities into business language and imperatives. He is a Senior Fellow with the CyberTheory Zero Trust Institute and a Forbes Tech council member.
This story is adapted from an article by Dennis Scimeca of IndustryWeek, which is a sister publication of Smart Industry at Endeavor Business Media.