Microsoft Corp. said an account that was compromised by Russia-linked hackers, resulting in a hack of some company emails including senior leaders, didn’t have multifactor authentication enabled.
The hackers “tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures,” according to a Microsoft blog post published late Thursday.
Cybersecurity experts had previously told Bloomberg News they believed the compromised account wasn’t using multifactor authentication, a basic security measure. That’s because it was hacked using a “password spray” technique that typically involves trying many passwords on a user’s account in an attempt to crack it. Password spraying doesn’t work if multifactor authentication is enabled, said Ru Campbell, a cybersecurity consultant and Microsoft Most Valuable Professional or MVP, who often speaks at conferences about the company’s services.
Senator Ron Wyden, Democrat from Oregon, called the compromise “inexcusable.”
Multifactor authentication is “cybersecurity 101 and would have prevented this latest attack,” Wyden said in an emailed statement. “This is yet another wholly avoidable hack that was caused by Microsoft’s negligence. The US government needs to reevaluate its dependence on Microsoft.”
A Microsoft representative didn’t respond to a request to comment on Wyden’s remarks.
See also: Australia’s social media ban for under 16s to become law
In its blog, Microsoft also said it has been warning organizations that they were targets of the same Russian-sponsored group that hacked into its executives’ emails late last year.
The hackers — a group known as Midnight Blizzard or Cozy Bear — have been identified by Microsoft’s Threat Intelligence team as the same cyber-espionage group that “has been targeting other organizations,” according to a blog post Thursday from the technology company.
The disclosure is the latest sign that the group’s recent activities have spread beyond Microsoft. On Wednesday, Hewlett Packard Enterprise Co. reported a breach of its cloud-based email system that it said was likely caused by Midnight Blizzard.
See also: UBS-Credit Suisse integration opens up new tech for bigger plans
Last week, Microsoft disclosed that the group compromised a “legacy non-production test tenant account” and used it as a foothold to access a “small number” of email accounts, including those of senior leadership and employees who work in cybersecurity and legal. The hackers were initially targeting emails for information about Midnight Blizzard itself, Microsoft said.
Last year, Wyden called on government officials to investigate an intrusion of Microsoft Exchange online that enabled the hack of US government emails, including the account of Commerce Secretary Gina Raimondo.
HPE, an information technology provider, said it was notified on Dec. 12 that a nation-state hacking group breached its email systems. Investigators believe the hackers accessed and infiltrated data beginning in May using a small percentage of HPE mailboxes from employees working in cybersecurity and other areas.
The US government has linked the hacking group, also known as Nobelium, to Russia. The same group previously breached SolarWinds Corp. in a massive cyber-espionage campaign against several federal agencies.
(Updated on Jan 27 with additional information starting in fifth paragraph.)