WASHINGTON - Russian government hackers have compromised Microsoft cloud customers and stolen emails from at least one private-sector company, according to people familiar with the matter, a worrying development in Moscow's ongoing cyberespionage campaign targeting numerous U.S. agencies and corporate computer networks.
The intrusions appear to have occurred via a Microsoft corporate partner that handles cloud-access services, those familiar with the matter said. They did not identify the partner or the company known to have had emails stolen. Like others, these people spoke on the condition of anonymity to discuss what remains a highly sensitive subject.
Microsoft hasn't publicly commented on the intrusions. On Thursday, an executive with the tech giant sought to downplay the issue's significance.
"Our investigation of recent attacks has found incidents involving abuse of credentials to gain access, which can come in several forms," Jeff Jones, Microsoft's senior director for communications, said. "We have still not identified any vulnerabilities or compromise of Microsoft product or cloud services."
The troubling revelation comes several days after Microsoft's president, Brad Smith, said the Fortune 500 company had not seen any customers breached through its services, including the vaunted Azure cloud platform used by governments, major corporations and universities worldwide.
"I think we can give you a blanket answer that affirmatively states, no, we are not aware of any customers being attacked through Microsoft's cloud services or any of our other services, for that matter, by this hacker," Smith told The Washington Post on Dec. 17.
Yet two days earlier, Microsoft notified the cybersecurity firm CrowdStrike of an issue with a third-party reseller that handles licensing for its Azure customers, according to a blog post CrowdStrike published Wednesday. In its post, CrowdStrike alerted customers that Microsoft had detected unusual behavior in CrowdStrike's Azure account and that "there was an attempt to read email, which failed." CrowdStrike does not use Microsoft's email service. It did not link the tactic to Russia.
People familiar with the previously undisclosed email theft said it does not exploit any Microsoft vulnerability. The company itself was not hacked - only one of its partners, they said.
Nevertheless, the troubling development raises concerns about the extent of Microsoft's disclosure obligations, cybersecurity experts said.
"If it's true that a cloud service provider customer's data has been exfiltrated and is in the hands of some threat actor, that's a very serious situation," said John Reed Stark, who runs a consulting firm and is former chief of the Securities and Exchange Commission's Office of Internet Enforcement. "It should raise all sorts of alerts within that cloud provider that could trigger a litany of notification, remediation and disclosure requirements - both national and international."
In a blog post last week, Microsoft stated it was notifying "more than 40 customers" that they had been breached. Some of them were compromised through the third party, people familiar with the matter said.
Specifically, the adversary hacked the reseller, stealing credentials that can be used to gain broad access to its customers' Azure accounts. Once inside a particular customer's account, the adversary had the ability to read - and steal - emails, among other information.
Microsoft began alerting private-sector clients to the issue last week. Jones said the company also informed the U.S. government last week "that some reseller partners were affected." However, two individuals familiar with the matter said the government was not notified.
Microsoft itself has not publicly announced the reseller hack. By contrast, when the cybersecurity firm FireEye learned it had been breached through a software update, it disclosed the information. That software patch, from a company called SolarWinds, has been the path through which the Russians have compromised at least five major federal agencies in a major ongoing campaign that has U.S. officials working through the holidays.
SolarWinds has acknowledged the hack, calling it "very sophisticated."