Russian government-backed hacker Midnight Blizzard has stolen communications between U.S. government officials and Microsoft.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive directly to agencies on April 2 about the violation, but it was not made public until Thursday. The directive, called “Reducing the Significant Risks of Nation-State Compromises of Microsoft Corporate Email Systems,” outlines the details of the attack and how compromised institutions should respond.
This directory allows compromised institutions to take immediate action to change any passwords, API keys, or authentication credentials that may have been compromised, and to monitor the compromised organization for potential malicious activity. It suggests checking the sign-in and activity logs. Affected government agencies will be required to identify the full content of agency communications with compromised Microsoft accounts, undergo a cybersecurity impact analysis, and notify CISA of any identified or suspected instances of compromise. It was also recommended that
CISA warned that the hack, which began in January, may have also targeted non-governmental organizations. Microsoft acknowledged in a blog post last month that it is still grappling with security issues from the same adversaries. Microsoft said the group was attempting to use sensitive information “shared between customers and Microsoft” in emails.
Microsoft said the attack was more serious than initially expected and that its source code was also accessed by the hackers. “Once we discovered these issues in the leaked emails, we have reached out to these customers to help them take mitigation steps, and we continue to do so,” the company said in a statement.
“Significant and unacceptable risk”
Midnight Blizzard is a state-sponsored hacking group associated with Russia's Foreign Intelligence Service. The group, also known as Cozy Bear, APT29, and Nobelium, was first noticed in 2008 by researchers at the cybersecurity firm Kapersky. High-profile activities include the attack on the Democratic National Committee in 2016 and his SolarWinds hack in 2020. Twelve US federal agencies were compromised. The same group also hacked Hewlett Packard Enterprise in May 2023 via its Microsoft 365 email environment, stealing data from its cybersecurity department and other departments.
The directive states that the breach is a “significant and unacceptable risk to government agencies.” After the initial breach in January, Microsoft saw a “10x” increase in overall attacks, including a full-scale effort leveraging passwords for various compromised accounts, he said, citing CISA's report. Did.
Content from partners
Microsoft's latest attack by Midnight Blizzard
This disclosure added to the recent cyber news headlines centered around Microsoft. Last week, the US Cyber Security Review Board (CSRB) released a report accusing Microsoft of another “preventable” hack by Chinese state-sponsored hacker Storm-0558. The tech giant was criticized in the CSRB report for multiple cybersecurity lapses and a lack of transparency regarding the management and resolution of vulnerabilities.
Earlier this week, another data breach was revealed in which an unsecured server exposed employee credentials to the open internet. Azure Storage His server contained code, scripts, and configuration files containing passwords and sensitive data used by staff to access internal systems.
CISA did not name the federal agencies most likely affected by the hacking group. Microsoft has agreed to provide metadata for all federal agency communications at the request of the National Cyber Investigations Joint Task Force (NCIJTF), a voluntary point of contact for federal agencies.
