Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Government

CISA Warns Russian Microsoft Hackers Targeted Federal Emails

US Cyber Defense Agency Instructs Agencies to Fortify Systems Amid Microsoft Breach
CISA Warns Russian Microsoft Hackers Targeted Federal Emails
The U.S. Cybersecurity and Infrastructure Security Agency ordered federal agencies to take steps against Russian state hackers.

The U.S. cyber defense agency directed federal agencies Thursday to take immediate steps to guard Microsoft accounts against attacks from a Russian Foreign Intelligence Service hacking group.

See Also: New OnDemand | People-Centric Security for the Public Sector

The Cybersecurity and Infrastructure Security Agency invoked invoked emergency powers in a directive for agencies to take measures such as resetting credentials, deactivating associated applications and reviewing account logs for potentially malicious activity.

The threat actor known as Midnight Blizzard used information exfiltrated from corporate email systems to gain additional access to Microsoft customer systems, according to the directive. The threat actor is also known as APT29 and Cozy Bear.

CISA said the breach "presents a grave and unacceptable risk to agencies" while echoing warnings from Microsoft that the hacking group "has increased the volume of some aspects of the intrusion campaign" (see: Russian State Hackers Penetrated Microsoft Code Repositories).

CISA Executive Assistant Director for Cybersecurity Eric Goldstein told reporters Thursday there are no signs that the Microsoft hack led to the successful breach of federal networks.* But Goldstein told reporters he doesn't want to minimize the risk posed by foreign state hackers, since federal agencies are experiencing "sustained" cyber threats from foreign adversaries.

"It is certainly the case that Midnight Blizzard is a persistent threat to organizations public and private," he said.

The directive comes just days after a scathing federal review slammed Microsoft for fostering an inadequate security culture that led to a separate, Chinese-led espionage campaign beginning in 2023 (see: Report Slams Microsoft for Security Blunders in Chinese Hack).

CISA Director Jen Easterly said in a statement the directive was issued "to reduce risk to our federal systems" amid continued fallout from the Microsoft hack, which began in late November when the Russian state hackers first breached multiple senior executives' email accounts.

"For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook," Easterly said, adding: "This latest compromise of Microsoft adds to their long list."

Midnight Blizzard used a password spray attack to gain access to a compromised legacy non-production test account, according to a Microsoft blog post from January, eventually gaining a foothold to then access other corporate email accounts.

The hackers made their way up the corporate chain to members of Microsoft's senior leadership team, as well as employees across the corporation's cybersecurity and legal divisions, among others. While the hackers initially appeared to be "targeting email accounts for information related to Midnight Blizzard itself," the latest warnings from CISA indicates that their campaign expanded in scope since then.

Agencies are also required to take steps to identify "the full content of the agency correspondence with compromised Microsoft accounts" and perform cybersecurity impact analyses. Those affected by the hack are required to provide their next status updates to CISA by May 1, in addition to weekly updates on remediation actions until completion.

*Update April 11, 2024 20:12 UTC: Adds comments from Eric Goldstein.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.