View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 12, 2024updated 17 Apr 2024 1:35pm

Russian hackers stole US federal correspondences through Microsoft breach

The hack is the latest event in ongoing attacks by the prolific state-backed group “Midnight Blizzard”.

By Lauren Hurrell

Russian government-backed hackers “Midnight Blizzard” have stolen correspondence between US government officials and Microsoft, potentially enabling access to federal systems.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued the breach in an emergency directive on 2 April directly to agencies, but it was only made public on Thursday. The directive, called “Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System”, outlines details of the attack and how infiltrated agencies should respond.

The directory suggests infiltrated agencies take immediate action on changing passwords, API keys, or any authentication credentials which may have been compromised, and review sign in and activity logs which may have been compromised for potential malicious activity. Affected agencies were also recommended to identify the full content of agency correspondence with compromised Microsoft accounts and undergo a cybersecurity impact analysis, providing notification to CISA for any identified or suspected instances of compromise.

The hack, which began in January, may have also targeted non-governmental groups, warned CISA. Microsoft acknowledged in a blogpost last month that it was still tackling security issues from the same adversaries. Microsoft said the group was attempting to use confidential information “shared between customers and Microsoft” in emails.

Microsoft said the attack was more severe than first expected, and that company source code had also been accessed by the hackers. “As we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” the company said.

Government agencies were among those compromised in the hack, which has been ongoing since January. (Photo by Tada Images via Shutterstock)

“A grave and unacceptable risk”

Midnight Blizzard is a state-sponsored hacking group associated with Russia’s Foreign Intelligence Service. Also known as Cozy Bear, APT29 or Nobelium, the group was first noticed by researchers at the cybersecurity firm Kapersky all the way back in 2008. High profile activities include the 2016 attack on the Democratic National Committee, and the SolarWinds hack in 2020, where 9 US federal agencies were compromised. The group also hacked Hewlett Packard Enterprise via its Microsoft 365 email environment in May 2023, when the group stole data from its cybersecurity unit as well as other departments.

The directive described the breach as “a grave and unacceptable risk to agencies.” Following the initial breach in January, Microsoft saw a “ten-fold” increase in the attack overall, including full-scale efforts to utilise passwords from different compromised accounts, reported the CISA.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Microsoft’s latest attack by Midnight Blizzard

The disclosure adds to a spate of recent cyber headlines with Microsoft at their centre. Last week, a report was released by the US Cyber Safety Review Board (CSRB) which blamed Microsoft for a separate “preventable” hack from state-backed hackers from China, Storm-0558. The tech giant was criticised in the CSRB report for its multiple cybersecurity lapses and lack of transparency on its management and resolution of vulnerabilities.

Another data leak became public earlier this week, involving an unsecured server exposing employee credentials to the open internet. The Azure storage server contained code, scripts and configuration files containing passwords and confidential data which were used by staff to access internal systems.

The CISA has not disclosed the names of the federal agencies most likely to have been affected by the hacking group. Microsoft has agreed to provide the metadata for all federal agency correspondence upon the request of the National Cyber Investigative Joint Task Force (NCIJTF), the voluntary point of contact for federal agencies.

Read more: Microsoft exposed employee passwords in recent data breach

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.