> It’s ok to call them countries, hackers, and intrusions.
It's not if you want to do business in that country. Or if you annoy allies of that country (accusing certain countries might get senators breathing down your neck!). You are accusing a government of committing a crime, or at least a wildly unethical behavior. Those are huge charges. To your point, I wish they could be more direct, but...
> Microsoft got hacked by Russian government hackers.
It is not known whether this hacking group is private, government sponsored, or government run. They could be a private group that takes both private and government contracts.
If they were funded via government channels, who was it? A higher up person using their personal wealth? A specific agency? Multiple agencies?
The reason they are being so vague is because they don't know the answers, and it is very discrediting to throw around incorrect accusations.
>> It is not known whether this hacking group is private, government sponsored, or government run.
Coming from Russia, that's a distinction without a difference.
Sure, private groups can 'freelance', but not without at least tacit permission from the FSB, GRU, and/or SVR (more accurately, cant freelance for long). Especially so for sch a high visibility target such as Microsoft.
And when the RU govt isdues a denial, it's confirmed.
But still no reason for MS to escalate the wording. They put enough in there that anyone with a clue knows it's serious.
The distinction probably matters to a lot of people at the scale that Microsoft is operating at. They likely worked with some sort of MS US government liaison on the wording.
Operating with tacit approval is not the same as being a government entity. Even you admit there is a small chance that this group is not tacitly approved ("for long"). I mean yeah, we all know the score, but a it's really bad idea to levy heavy charges without knowing the answer 100%.
This statement does pretty heavily implicate the Russian Govt though, yeah :)
This group is also known as CozyBear, if that rings a bell. The US government named them years ago in an announcement kicking out several Russian diplomats. I don’t think anyone is worried about being wrong on this.
They’ve been around for a while and identified by several governments.
“NOBELIUM is an advanced persistent threat group also known as APT29, which is publicly attributed to the Russian government and specifically to the Foreign Intelligence Service of the Russian Federation (SVR)”
It still doesn't answer how they know that: 1) they were hacked by that exact group 2) that group is sponsored by the Russian government.
The only evidence I've seen before in cases like this one was that they found that the hacks happened during Russia's working hours (i.e. Moscow timezone), and that they found some word in Cyrillic in some of the shell scripts. Which is honestly not hard to pull off if you want to hide your true identity. Not saying Russia is not interested in those hacks, but a lot of far-reaching conclusions are often quickly made based on such weak assumptions.
I am not going to go read every MS blog on this group to find the original attribution, but generally it is from reusing infrastructure associated with a government (often even more specifically, a branch of government). IP addresses, correlated email accounts, domains, who they have targeted in the past, code ties between the malware they use, etc. These indicators can be paired with government releases (CISA) or made independently for attribution.
Say some specific infrastructure is used to hack a law firm involved in prosecuting Russia for war crimes in Ukraine. Then that same infra is used to send disinfo targeting Ukrainian groups. Then the some distinct malware used in those attacks is also used to wipe machines in the Ukraine conflict. There are full time groups that track these indicators to tie one attack to another and distinguish groups. This group is likely the SVR.
The US government publicly named this group as a Russian government tool in a diplomatic announcement kicking out multiple Russian embassy employees in 2021. This is linked as a footnote as the citation for this claim made in the article I shared above.
My summary understanding of this write-up is that a weak password was guessed and allowed entry into an old system that had access to stuff it shouldn't have had access to.
Your summary is also ambiguous. Were they hacked by the Russian CIA equivalent? Were they hacked by people funded by the Russian government? Were they hacked by people funded by senior government officials?
I think it's possible that the truth is a little murky, and capturing that ambiguity is actually clearer than trying to wave it away
> The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard
While the CIA is a US foreign intelligence agency, I'd hesitate to call them equivalent. Hired by as in, employees of, Russian intelligence? Unless my link is inaccurate, yes.
At least for the "Midnight Blizzard" part of the title, it's the result of a naming framework [0] for threat actors that Microsoft has been using since April 2023. I agree it sounds weird.
The naming framework for these groups isn't even consistent, with every vendor having their own scheme. Midnight Animal to one vendor is Dancing Bear to another and known by Wet Cat to yet another.
They all sound like bad translations to bargain-bin porno movies.
It largely boils down to the same reason scientists classify animals into taxonomies. It helps to have a framework for classifying the groups so you can refer back to them in the future.
Going back to my example with taxonomies: Yeah, you got bit by a spider, but exactly which kind of spider bit you? What do we know about those kinds of spiders, e.g. are they known for being venomous or not, does their bite have a well-known reaction in humans, etc.
Russia hacks, but so do China, North Korea, Iran and Ukraine. They all have bagged large targets. It could be any of them but could be someone else as well.
Woah. Easy there. It sounds like you're trying to start a flamewar by singling out Russia. Don't you know that every country does this?! Please preface any accusations against Russia with paragraphs of anti-Western invective. /s
It’s ok to call them countries, hackers, and intrusions.
Microsoft got hacked by Russian government hackers.