A Midnight Blizzard Hits Microsoft. So What?
1–22–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, January 22, 2024, and I hope that you’re all still sticking with those New Year’s resolutions. I’m more of a “fresh starts and modest changes” kind of guy, myself, but I can see the appeal.
A Midnight Blizzard Hits Microsoft
This week, the big news dropped right at the end of the week - with a classic Friday Night News Drop from Microsoft (who, for the record, is now spending time with the title of World’ Most Valuable Company - having overtaken Apple).
The news broke due to an 8-K filing with the SEC - which does raise a bit of a question as to whether we’d have ever found out about this event otherwise. They pointed to a PR-heavy blog post that notes “the threat actor had any access to customer environments, production systems, source code, or AI systems” - reading, to me, that they’d have rather kept it all under wraps but couldn’t because of those pesky laws.
So what did happen?
Microsoft says that:
“Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself.”
This is a particularly poorly timed hit for Microsoft, because they’ve dealt with Chinese threat actors cleverly hacking into government M365 accounts, changed out their security leadership - including a new CISO, and made a big deal about their “ongoing commitment to responsible transparency” in their Secure Future Initiative.
The actions disclosed in this post sound like a pretty classic counter-intelligence operation, and I would note that Midnight Blizzard has been attributed by Microsoft and others to be Russia’s Foreign Intelligence Service, the SVR.
It also sounds like Microsoft had a set of “cascading failures” that led to this breach, including the use of legacy technology, connecting a test system to a production system, and the lack of multi-factor authentication. All guesses, of course, because of the overly vague language in their filing and blog post - which, again, is only helpful to the attackers and does nothing to enable others to defend against these techniques in their own enterprise.
Frankly, I continue to find this sort of thing massively frustrating, especially after Microsoft touts their “ongoing commitment to responsible transparency” - apparently only responsible for helping themselves.
I think there are a few ways to read the tea leaves here:
First, because of the SEC’s new rules, we’re going to get disclosures that we’d otherwise never get. This is one, so is the fact that 35 million customers had their data stole from VF Corp (parent company of Vans, The North Face, and more).
Second, we’ve got to realize that we’re all on the same team here. If Microsoft really wanted to help raise the tide, they’d give details. Since they didn’t, it won’t - and the rest of us remain vulnerable to whatever attack techniques the SVR used here. That’s unfortunate.
Third, we may look back at this as a catalyzing moment - either Microsoft and their friends in the USG (who have a vested interest in keeping one of their biggest suppliers and their country’s most valuable company safe) help Russia realize that they’ve entered the Find Out portion of the equation, or Russia, China, Iran, and North Korea become even more emboldened and the situation devolves into every company for themselves.
One way or the other, you’ve got to mind your store - and apparently have to do a better job of it than Microsoft.
Where we go from here is anybody’s guess, but it really does feel like a pivotal moment in the overlay between technology, security, finance, and geopolitics. Buckle yourselves and your systems up for a very wild 2024.
Fundraising
From a fundraising perspective, another big week, with funds totaling more than $16.75B in newly committed capital announced, including Saudi’s Armco putting more than $4b into its venture arm, and French firm Committed Advisors raising €2.6 for its fifth PE secondaries fund.
As you’re seeing in these patterns, special focus - verticals, geographies, or funding stages - are what’s drawing new capital. That capital has to go to work, and as the IPO window continues to languish, I expect it to largely be directed towards late-stage ventures in a cash crunch and early stage ventures that might be an eventual home run. Not a lot left for folks in the middle, so they’ll need to ensure that they are busy building a business, and not just a company - which ties us back into the discussion at the top of the show about their need to manage cyber risk in a thoughtful way, whatever stage they’re at.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.sec.gov/ix?doc=/Archives/edgar/data/789019/000119312524011295/d708866d8k.htm
https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/
https://www.securityweek.com/microsoft-hires-new-ciso-in-major-security-shakeup/
https://www.sec.gov/Archives/edgar/data/103379/000119312524010243/d641969d8ka.htm