Changelog: Midnight Blizzard rolls over Microsoft and HPE

Aditya Vyas / Unsplash

Welcome to Changelog for 1/25/2024, published by Synack! README senior editor Nathaniel Mott here with meteorological whiplash in upstate New York to bring you the top infosec news.

The payload

Sometimes it feels like nobody wants to spend more than a few seconds on an email. They glance over the subject line, scan through the body of the message and then use Gmail’s new emoji reactions instead of writing a response. But there are people out there who really are interested in every message they encounter—especially when they’re spelunking through the inboxes of Microsoft and HP executives.

Microsoft said on Jan. 19 that Midnight Blizzard, a Russian threat actor also known as APT29 and Cozy Bear, had “used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.”

The company said these nation-state hackers “were initially targeting email accounts for information related to Midnight Blizzard itself” and that “there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.” (I’m not entirely sure why that last part is relevant, but hey, it wouldn’t be a security-related blog post from 2024 without some mention of artificial intelligence.) 

Microsoft wasn’t Midnight Blizzard’s only target. Hewlett Packard Enterprise said in a Jan. 24 filing with the Securities and Exchange Commission that Midnight Blizzard also “accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.” The company said it was notified of the incident on Dec. 12, 2023. It didn’t say who notified it of the incident, but it’s reportedly a Microsoft customer, so there’s a good chance someone there got a call from Redmond.

Neither company has shared additional information about the incidents—although Microsoft said “the attack was not the result of a vulnerability in Microsoft products or services,” which suggests it’s confident that it knows how Midnight Blizzard compromised its executives’ accounts, if not HPE’s—or the steps they have taken to lock down their accounts. (Or, in Microsoft’s case, how it plans to prevent threat actors like Midnight Blizzard from accessing the emails of other companies that rely on its infrastructure.)

The week, compiled

Russia isn’t just making its way through Microsoft and HPE’s inboxes. The Record today reported that “several state-owned Ukrainian critical infrastructure companies”—including the “largest state-owned oil and gas company,” the “agency responsible for transport safety,” the state railway and the Ukrainian equivalent to the U.S. Postal Service—have had some of their services disrupted by cyberattacks.

The Record said these attacks brought down the oil and gas company’s website and call centers, disrupted the transport safety agency’s website as well as the system “used by drivers to cross the Ukrainian border or deliver cargo abroad” and made it so “passengers in Kyiv couldn’t buy online tickets for the electric multiple-unit train.” (The postal service has already restored several of its systems, though.)

Andrii Leonov / Unsplash

It’s not clear if the attacks were part of a coordinated effort or how they were carried out. The dichotomy is sort of surreal, though. American companies are worried about Russian hackers reading their emails; Ukrainian companies are trying to remain operational so their customers can manage their heating bills, deliver mail and catch the train, among other things. I don’t want to downplay the former—I’m aware that accessing sensitive information is a problem—but I’d still prefer it to the latter.

Now for some of the week’s top infosec headlines:

TechCrunch: The U.S. on Jan. 23 joined the U.K. and Australia in sanctioning a Russian national, Alexander Ermakov, for allegedly stealing “personally identifiable information (PII) and sensitive health data linked to approximately 9.7 million customers” of the Australian health insurance company Medibank in October 2022. Ermakov is said to be linked to the REvil ransomware gang.

Wired: We haven’t seen the last of NSO Group. Wired reported that the spyware maker is working “to revamp its tarnished image and reverse U.S. regulations that have damaged its business” by “conducting a multimillion-dollar lobbying campaign that attempts to position the company’s spyware as essential for global security” despite reports of its rampant abuse by authoritarian governments around the world.

Ars Technica: The eyes of countless infosec professionals rolled into the backs of their heads last week when HP CEO Enrique Lores claimed the company has configured its printers to stop working if they detect third-party ink cartridges because they “have seen that you can embed viruses in the cartridges” which can then make their way throughout someone’s network. Sounds cool—prove it!

A message from Synack

How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.

Flash memory

Jan. 24 marked the 40th anniversary of the original Macintosh’s debut. A lot has changed in the intervening decades—someone at Apple followed Justin Timberlake’s advice in dropping the “intosh” in favor of just “Mac” because it’s cleaner, the iPod’s empire rose and fell, etc. But it all started with the beige box that has informed the design of the countless personal computers that followed it.

Many of those computers, especially those made by Apple itself, tend to stick to a standard design. But not all! Ars Technica collected some of the “rarest and most unusual production Mac models ever made,” from the chonky Macintosh XL released in 1985 to the infamous trashcan Mac Pro from 2013, to celebrate some of Apple’s infrequent attempts to break the mold of what people expect from a Mac…intosh.

I like Jason Snell’s take on the Mac’s position in 2024: “Apple’s longest-running product is an increasingly small part of the company’s business. And yet, it’s never been more successful.” There’s no denying the Mac isn’t as vital to the company’s success as it once was, and the upcoming release of the Vision Pro headset suggests that even Apple thinks personal computing will look far different in the years ahead.

Apple’s been selling Macs for 40 years. Will it sell them for another 40?

Local files

BleepingComputer: Ransomware operators continue to target wastewater facility operators. BleepingComputer reported on Jan. 23 that Veolia North America “implemented defensive measures, temporarily taking some systems offline to contain the breach,” in response to a recent incident. (The silver lining: “the attack hasn't disrupted Veolia's water treatment operations or wastewater services.”)

The Record: The U.K. National Cyber Security Centre is confident that artificial intelligence is providing a “capability uplift in reconnaissance and social engineering” and will soon be utilized for “malware and exploit development, vulnerability research and lateral movement by making existing techniques more efficient,” The Record reported on Jan. 23, which seems likely to add fuel to the already-raging AI fire.

SEC: The Securities and Exchange Commission said on Jan. 22 that its account on the platform formerly (and forever) known as Twitter was compromised via a SIM-swapping attack. It also said that although “multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account.”


A quick update on my Framework Laptop journey: everything seems great so far even though I made things nearly as hard as I could have by opting for Linux instead of Windows; NixOS instead of the officially supported distributions; and a tiling window manager instead of a full-fledged desktop environment. I’m still tinkering, of course, but I remain optimistic about my decision to give this repair-friendly laptop a shot instead of continuing to buy more mainstream hardware.


Alexander Shatov / Unsplash

One thing I know I love: the 3:2 aspect ratio display. Reading, writing and browsing the web is just so much nicer with the additional vertical space. I wouldn’t choose it for a gaming PC—that’s 16:9 all the way—but I am tempted to look into monitors with a similar aspect ratio for my day-to-day work. And, just to bring everything full circle, the original Macintosh’s display also had a roughly 3:2 aspect ratio. Coincidence? Maybe! Or maybe, just maybe, they were onto something 40 years ago.