Russian government-backed hackers “Midnight Blizzard” have stolen correspondence between US government officials and Microsoft, potentially enabling access to federal systems.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued the breach in an emergency directive on 2 April directly to agencies, but it was only made public on Thursday. The directive, called “Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System”, outlines details of the attack and how infiltrated agencies should respond.
The directory suggests infiltrated agencies take immediate action on changing passwords, API keys, or any authentication credentials which may have been compromised, and review sign in and activity logs which may have been compromised for potential malicious activity. Affected agencies were also recommended to identify the full content of agency correspondence with compromised Microsoft accounts and undergo a cybersecurity impact analysis, providing notification to CISA for any identified or suspected instances of compromise.
The hack, which began in January, may have also targeted non-governmental groups, warned CISA. Microsoft acknowledged in a blogpost last month that it was still tackling security issues from the same adversaries. Microsoft said the group was attempting to use confidential information “shared between customers and Microsoft” in emails.
Microsoft said the attack was more severe than first expected, and that company source code had also been accessed by the hackers. “As we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” the company said.
“A grave and unacceptable risk”
Midnight Blizzard is a state-sponsored hacking group associated with Russia’s Foreign Intelligence Service. Also known as Cozy Bear, APT29 or Nobelium, the group was first noticed by researchers at the cybersecurity firm Kapersky all the way back in 2008. High profile activities include the 2016 attack on the Democratic National Committee, and the SolarWinds hack in 2020, where 9 US federal agencies were compromised. The group also hacked Hewlett Packard Enterprise via its Microsoft 365 email environment in May 2023, when the group stole data from its cybersecurity unit as well as other departments.
The directive described the breach as “a grave and unacceptable risk to agencies.” Following the initial breach in January, Microsoft saw a “ten-fold” increase in the attack overall, including full-scale efforts to utilise passwords from different compromised accounts, reported the CISA.
Microsoft’s latest attack by Midnight Blizzard
The disclosure adds to a spate of recent cyber headlines with Microsoft at their centre. Last week, a report was released by the US Cyber Safety Review Board (CSRB) which blamed Microsoft for a separate “preventable” hack from state-backed hackers from China, Storm-0558. The tech giant was criticised in the CSRB report for its multiple cybersecurity lapses and lack of transparency on its management and resolution of vulnerabilities.
Another data leak became public earlier this week, involving an unsecured server exposing employee credentials to the open internet. The Azure storage server contained code, scripts and configuration files containing passwords and confidential data which were used by staff to access internal systems.
The CISA has not disclosed the names of the federal agencies most likely to have been affected by the hacking group. Microsoft has agreed to provide the metadata for all federal agency correspondence upon the request of the National Cyber Investigative Joint Task Force (NCIJTF), the voluntary point of contact for federal agencies.