Depressing news last month as Microsoft disclosed that its corporate IT systems were hacked by Russian state-sponsored threat actor, Midnight Blizzard. Using a password spray attack to compromise a non-production test account and gaining a foothold, the threat actor was able to access a very small percentage of Microsoft corporate email accounts, including members of Microsoft’s senior leadership team and other employees in cybersecurity, legal.
Cybersecurity shouldn’t be this hard, and if Microsoft can’t stay on top of its cybersecurity posture, how is a small business supposed to keep up? There are multiple lessons for us business owners to learn.
- Lesson 1 Microsoft saw them coming – Midnight Blizzard is a formidable force, part of the Russian foreign intelligence service, and responsible for several major cyber attacks including the SolarWinds attack of 2020 that impacted nearly 18,000 companies worldwide. Microsoft is well aware of the threat, but couldn’t stop them due to complexity in their IT systems.
- Lesson 2 Threat Actors thrive on persistent footholds – When a threat actor can breach a network and establish a persistent foothold without getting caught, the amount of damage that they can cause multiplies exponentially.
- Lesson 3 Even basic hacks like password spraying can be effective – This particular attack is particularly hard for Microsoft to take because it was so basic. Microsoft’s cybersecurity reputation has taken a hit on this one.
- Lesson 4 New SEC cybersecurity disclosure rule put to the test – Microsoft disclosed the attack to the SEC on January 19th. It seems to have had the desired effect (more transparency to the public).
- Lesson 5 Foreign threat actors continue to operate with impunity – Sadly, there is little chance of bringing Midnight Blizzard or any other foreign threat actor to justice.
- Lesson 6 Cyber Insurance coverage may exclude Acts of War Major cyber insurance carriers are potentially looking to exclude coverage for cyber attacks from nation-state sponsored threat actors against the private sector. Pay attention to those cyber insurance renewals!
Want to learn more about how to reduce your cyber risk? Reach out for a complimentary Cybersecurity Discovery Call.