Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

US Government on High Alert as Russian Hackers Steal Critical Correspondence From Microsoft

The US government says Midnight Blizzard’s compromise of Microsoft corporate email accounts “presents a grave and unacceptable risk to federal agencies.”

Microsoft breach

The US cybersecurity agency CISA on Thursday issued an emergency directive mandating that all federal agencies immediately hunt for signs of a known Russian APT that broke into Microsoft’s corporate network and pivoted to steal sensitive correspondence from US government agencies.

The directive comes less than three months after Redmond disclosed the embarrassing hack and confirmed the ‘Midnight Blizzard’ attackers also stole source code and may still be poking around its internal computer systems. 

According to the CISA directive, federal agencies must immediately “analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.”

“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said.

The agency warned that the Russian government-backed hackers are using information initially exfiltrated from the corporate email systems — including authentication details shared between Microsoft customers and Microsoft by email — to gain, or attempt to gain, additional access to Microsoft customer systems. 

The agency said it worked with the world’s largest software maker to notify all federal agencies whose email correspondence with Microsoft was identified as exfiltrated by the Midnight Blizzard threat actor.

“In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies,” CISA said.

The agency said Micrsooft also agreed to provide metadata for all exfiltrated federal agency correspondence — regardless of the presence of authentication secrets — upon the request of the National Cyber Investigative Joint Task Force (NCIJTF), which is the single federal point of contact for this incident.

Advertisement. Scroll to continue reading.

Earlier this year, Microsoft said the professional hacking team used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts.

“[They] exfiltrated some emails and attached documents,” Microsoft said in a filing with the Securities and Exchange Commission (SEC). The company said its security team detected the nation-state attack on our corporate systems on January 12, 2024 and traced the infection back to November 2023.

The discovery of Russian hackers in Microsoft’s network comes less than six months after Chinese cyberspies were caught using forged authentication tokens using a stolen Azure AD enterprise signing key to break into M365 email inboxes. 

Following that breach, which led to the theft of email data from about 25 government organizations in the United States, the Cyber Security Review Board (CSRB) issued a scathing report that called out “a cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.”

“Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” according to the CSRB report.

Related: Microsoft’s Security Chickens Have Come Home to Roost

Related: Microsoft Says Russian Hackers Stole Source Code

Related: Microsoft Says Russian Gov Hackers Stole Email Data From Senior Execs

Related: Chinese Cyperspies Use Stolen Microsoft Key to Hack Gov Emails

Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups.