China and Russia keep finding ways to get past Microsoft’s security systems.
In an emergency directive made public on Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that Russian-backed hackers stole emails that had been sent between federal agencies and Microsoft — emails that may have contained users’ login credentials.
CISA’s directive requires the affected agencies to take immediate action to determine the extent of the breach. Specifically, they must analyze the stolen emails for signs that sensitive data or login information was leaked. The agencies whose logins were exposed have until April 30 to reset their passwords and authentication tokens. CISA did not specify which agencies were included in the breach.
The hackers, a group known as Midnight Blizzard that’s sponsored by the Russian state, first gained access to the Microsoft accounts in November 2023 through a password-spraying attack, Microsoft announced in a January press release. The group increased their attacks 10-fold in February, and by the following month, had accessed some of Microsoft’s core software systems, the company said in a March press release.
“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA wrote in its emergency directive.
“For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list,” CISA Director Jen Easterly said in a press release on Thursday. “We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity.”
Microsoft wrote in its January press release that the Midnight Blizzard attacks were “not the result of a vulnerability in Microsoft products or services.”
The company has been under fire recently for its security practices, which one government watchdog group says are “inadequate” and in need of an “overhaul.”
Last week, the US Department of Homeland Security released a report from the Cyber Safety Review Board (CSRB) detailing a “cascade” of “avoidable errors” in the company’s security systems. And those errors, which the CSRB attributed to Microsoft not adequately protecting its customers’ sign-in keys, allowed a Chinese hacking group to access the emails of senior US officials last summer, the report said.
In reference to the Chinese hacking incident, a spokesperson for Microsoft previously told Business Insider that “recent events have demonstrated a need to adopt a new culture of engineering security in our own networks.”
A Microsoft spokesperson told BI of the latest Russian attack: “As we discover secrets in our exfiltrated email, we are working with our customers to help them investigate and mitigate. This includes working with CISA on an emergency directive to provide guidance to government agencies.”
When asked if the Russian hacking incident was caused by the same security vulnerabilities that enabled the Chinese incident, the spokesperson only said that the two “are not related.”