"We were pwned by the Russians (again) and they were reading all of Satya's emails, but it's okay, they were just looking for shout-outs to post in their interoffice Telegram channel for the lulz."
I understand that the company has to minimize every breach but this frankly looks a lot more serious than Microsoft suggests here.
... a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents.
Yeah, at least they make a very small percentage of all Microsoft employees I guess
No, they are not. Production systems are the systems that are producing money. If they stop running for an hour, it directly costs the company money through SLA penalties, etc. If the internal email server goes down for an hour, it might cause some employee productivity loss, depending on the timing.
If my coffee machine suddenly stopped working it would definitely have a detrimental effect on production. I can guarantee you that :)
But in general I would say routine janitorial maintenance issues don't have quite the same potential to affect production as Russian criminals reading the email of Microsoft's cybersecurity team.
The only defintion that matters is the practical definition that most people would think of, not what the “book” says. Whenever someone tells me “production is down” I think that customers are screwed. If they told me our internal email servers are down, I would smack them in the head cause my stress levels went up for nothing. Internal servers is not production.
But we're not talking about a service outage. In the context of an outage at a service provider I might agree with you.
In this instance, a system used by the cybersecurity team to do its actual job was breached - not some development or testing server.
We don't know what it was exactly that these attackers were looking for or what they found. But it is absolutely possible that the information they gained enables them to protect an ongoing or future attack against Microsoft's customers.
I think I disagree but we might be in agreement based on your thoughts… internal servers that are in the path of data pipelines that customers need are also production. For example, let’s say you have a warehouse and there is some way to manage inventory in there. No customer goes into Microsoft dynamics themselves. However, this Microsoft dynamics is production because our customers rely on the data this provides.
It doesn’t matter to customers if Microsoft teams is down and we are talking to each other internally using iMessage and signal but anything that is in the data path is production.
I’m going to take a wild guess here and say you don’t really run any kind of system. “Internal is not production” is the weirdest statement I have heard in a long time.
Of course these systems are production. Not only production, but _P1_ level production.
No. Whether or not a system runs in production as opposed to a testing/development environment is not a question of who is writing a blog post.
Microsoft produces software and services. The communications of their CEO as well as their cybersecurity and legal teams is part of that overall production process.
I love how they emphasize only few were exposed. Like just a few, only our senior staff and cybersecurity team... I mean -- they aren't lying, but... Wow
1% of 238,000 employees is a "very small percentage" and still 2,380 employees. Insight into certain operational information and potentially undisclosed/unpatched zero days could be monumentally valuable to a nation state actor.
I wonder, is it any different, if it's not just average "you", but CEO? Don't they have additional security measures? May be not, I think Jeff Bezo's WhatsApp was hacked few years ago...
Is there any basis for this group being "nation-state" or are they just trying to make themselves seem less incompetent by inflating the attackers' reputation?
And somehow it's always cross tenant issues for easy lateral movement, because Azure ASNs are always allowlisted specifically to bypass all kinds of filters.
Microsoft is pretty learning resistant lately. Always prioritize the spamming customers, I guess?
Not to downplay the severity but honestly, every breach I read about seems “serious” but very rarely does anything of consequence happen with these events.
Azure was owned pretty hard a while back, very little was ever heard of it again.
Is the drama of them appealing ? What might we expect to happen from this ? They’ve read Satya’s email ?
How do you know if nothing happens? It isn't like the people siphoning, selling, or purchasing this data are broadcasting their wins on news aggregators.
It makes the news when an entity like Microsoft gets cracked, but when their users get robbed or otherwise hurt as a consequence it will hardly make the news. You not knowing of the consequences doesn't mean they don't exist.
GP is clearly saying "this is important because small people will get hurt invisibly" and your hot take is that them being exploited isn't going to impact Microsoft's bottom line, so this isn't newsworthy?
Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.
It says nothing about users being compromised.
This is why they won’t do anything about it though ? Do you understand how it works ?
They’re not going to do anything about the consequences for the users until it impacts their profits.
Name one person who is done with Microsoft after this?
I think the confusion lies between the terms "consequences" and "consequences for Microsoft". There won't be consequences _for Microsoft_ but there will be consequences for regular people. Saying there won't be consequences full stop implies you don't consider the damage to regular people as worthy of discussion or consideration
> Azure was owned pretty hard a while back, very little was ever heard of it again.
From what I recall, it was a Chinese APT (designated as Storm-0558, which I think means they could not reliably attribute it to any group: https://malpedia.caad.fkie.fraunhofer.de/actor/storm-0558), that was sitting on developers’ workstations long enough to get access to master signing key from a memory dump that ended up on one of the workstations. They then used it to access US government officials’ emails (Department of State if I recall correctly), which supposedly gave China a strategic advantage and a better understanding of inner workings of US foreign policy.
You will not see it in news that China got favourable terms in some negotiations with a country in Africa (are of Chinese interests) and US got least favourable terms than they could’ve gotten because the Chinese negotiators knew something.
I understand that the company has to minimize every breach but this frankly looks a lot more serious than Microsoft suggests here.