Russian hackers accessed federal agencies' emails in Microsoft breach, CISA says
The alert comes a week after Microsoft was faulted in a Homeland Security Department report for fostering a security culture that enabled a similar China-backed cyberattack last year.
Kremlin-backed operatives that accessed sensitive Microsoft systems in January through brute-force password guessing techniques successfully exfiltrated email correspondence from federal civilian agencies, the Cybersecurity and Infrastructure Security Agency said Thursday.
The software giant issued an alert on the group, dubbed Midnight Blizzard by industry security researchers, near the start of the year. The hackers, linked to Russia’s Foreign Intelligence Service, are using data “initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems,” CISA said in the emergency directive.
CISA said that the company will provide necessary metadata on the compromised emails to affected agencies, as well as the metadata for all stolen agency correspondence. CyberScoop first reported on the directive last week, citing three government officials familiar with the matter.
Eric Goldstein, CISA's executive assistant director of cybersecurity, declined to comment on the specific agencies affected but said they are urgently taking remediation steps. The targeted agencies must update CISA by May 1 on their activities responding to the directive.
“As we shared in our March 8 blog, as we discover secrets in our exfiltrated email, we are working with our customers to help them investigate and mitigate. This includes working with CISA on an emergency directive to provide guidance to government agencies,” a company spokesperson told Nextgov/FCW.
“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said, advising agencies to analyze the contents of the exfiltrated emails, reset credentials and ensure their Microsoft authentication tools are secure.
The company has already come under fire for what a DHS assessment last week said was lax culture that enabled a high-profile Chinese state-backed cyberattack last year, where hackers accessed the Microsoft email accounts of top government officials.
“While this second intrusion was outside of the scope of the Board’s current review, the Board is troubled that this new incident occurred months after the Exchange Online compromise covered in this review,” the Cyber Safety Review Board wrote in last week’s findings, referring to the Midnight Blizzard incident.
“This additional intrusion highlights the Board’s concern that Microsoft has not yet implemented the necessary governance or prioritization of security to address the apparent security weaknesses and control failures within its environment and to prevent similar incidents in the future,” it added.
Midnight Blizzard is linked to numerous high-profile cyber incidents, including the 2020 SolarWinds hack and the 2016 hack of the Democratic National Committee.
Editor's note: This article has been updated to include a response from CISA.