SolarWinds Hackers Steal Microsoft Customer Data

Microsoft said a system belonging to one of its customer-support agents has been compromised by the attackers behind the SolarWinds hack, exposing “basic account information” for some customers.

The information was then used in highly targeted phishing attacks on Microsoft customers. Microsoft didn’t say whether those attacks had been successful.

“The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign,” Microsoft said.

“Our support agents are configured with the minimal set of permissions required as part of our Zero Trust ‘least privileged access’ approach to customer information,” the company added.

Customer data

“We are notifying all impacted customers and are supporting them to ensure their accounts remain secure.”

The data of a “small number” of customers was affected by the hack, which Microsoft said was carried out by an attack group variously known as Nobelium, APT29 or Cozy Bear.

The group was behind the hack of SolarWinds that allowed it to access the systems of nine US federal agencies, along with numerous private enterprises.

The US government has publicly stated that Russia was behind the SolarWinds hack, something Russia denies.

Microsoft said that after finding information-stealing malware on a machine belonging to one of its customer-support agents, it removed the malware’s access and secured the device.

It didn’t specify whether the agent was at a contractor or a direct employee.

Phishing risk

Microsoft warned the customers affected, indicating that the malware had accessed data in the second half of May.

“A sophisticated Nation-State associated actor that Microsoft identifies as NOBELIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions,” the warning reads in part, according to Reuters.

The customer-service agent could see billing contact information and what services customers pay for, amongst other data, Microsoft said.

It warned affected customers to be careful about communications with their billing contacts and to consider changing billing-related usernames and email addresses, as well as barring older usernames from logging in.

Microsoft told Reuters the latest attack was not related to Nobelium’s SolarWinds hack, in which the group succeeded in accessing Microsoft source code.

Data theft

The company said it detected the hack of the customer-service system while investigating a broader hacking campaign carried out by Nobelium, involving password spray and brute-force attacks.

It said it was aware of three entities that had been compromised by the broader campaign.

“All customers that were compromised or targeted are being contacted through our nation-state notification process,” Microsoft said in a statement.

The latest Nobelium campaign primarily targeted IT companies, at 57 percent, followed by government, at 20 percent, as well as non-governmental organisations, think tanks and financial services.

US interests accounted for 45 percent of the attacks, followed by 10 percent for the UK and smaller numbers for Germany and Canada, out of a total of 36 countries targeted.