Jesus' Coming Back

Russia stole US agencies’ emails from Microsoft systems, CISA says

Updated: April 12, 10:45 a.m.

Kremlin-backed operatives who accessed sensitive Microsoft systems in January through brute-force password guessing techniques stole email correspondence from federal civilian agencies, the Cybersecurity and Infrastructure Security Agency said Thursday.

The software giant issued an alert on the group, dubbed Midnight Blizzard by industry security researchers, near the start of the year. The hackers, linked to Russia’s Foreign Intelligence Service, are using data “initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems,” CISA said in the emergency directive.

CISA said that the company will provide necessary metadata on the compromised emails to affected agencies, as well as the metadata for all stolen agency correspondence. CyberScoop first reported on the directive last week, citing three government officials familiar with the matter.

Eric Goldstein, CISA’s executive assistant director of cybersecurity, declined to say which agencies were affected but said they are urgently taking remediation steps. The targeted agencies must update CISA by May 1 on their activities responding to the directive.

“As we shared in our March 8 blog, as we discover secrets in our exfiltrated email, we are working with our customers to help them investigate and mitigate. This includes working with CISA on an emergency directive to provide guidance to government agencies,” a company spokesperson told Nextgov/FCW.

“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said, advising agencies to analyze the contents of the exfiltrated emails, reset credentials and ensure their Microsoft authentication tools are secure.

The company has already come under fire for what a DHS assessment last week said was lax culture that enabled a high-profile Chinese state-backed cyberattack last year, where hackers accessed the Microsoft email accounts of top government officials.

“While this second intrusion was outside of the scope of the Board’s current review, the Board is troubled that this new incident occurred months after the Exchange Online compromise covered in this review,” the Cyber Safety Review Board wrote in last week’s findings, referring to the Midnight Blizzard incident. 

“This additional intrusion highlights the Board’s concern that Microsoft has not yet implemented the necessary governance or prioritization of security to address the apparent security weaknesses and control failures within its environment and to prevent similar incidents in the future,” it added.

Midnight Blizzard is linked to numerous high-profile cyber incidents, including the 2020 SolarWinds hack and the 2016 hack of the Democratic National Committee.

Defense One

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More