Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.

In an emergency directive published earlier this month, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) said that Midnight Blizzard, also known as Nobelium and Cozy Bear, had "exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft through a successful compromise of Microsoft corporate email accounts."

Neither CISA nor Microsoft has shared which agencies' e-mails have been compromised, saying only that those affected have already been directly notified. The FCEB comprises numerous agencies, including the Federal Trade Commission, the Social Security Administration, the Department of Homeland Security and others. The compromise of e-mails between any of these agencies and Microsoft "presents a grave and unacceptable risk," according to CISA.

Midnight Blizzard was behind a series of aggressive password spray attacks against Microsoft that started in late November 2023, resulting in the corporate accounts of several high-ranking Microsoft executives being breached, and in internal access codes that were shared between Microsoft and some customers being compromised.

Microsoft did not discover these attacks until January 2024, though at that time it said it saw no signs that customer accounts had actually been infiltrated. In a March update, Microsoft revealed Midnight Blizzard had managed to access some of its source code, again to no apparent detriment to its customers.

In its emergency directive, CISA indicated that some of the exfiltrated agency e-mails contained "authentication secrets" like passwords, credentials, tokens and API keys.

To help agencies batten down their hatches, Microsoft said it will hand over any metadata related to all compromised e-mails to the affected departments. In turn, CISA is requiring agencies to take the following actions:

  • Reset credentials in associated applications and deactivate associated applications that are no longer of use to the agency.
  • Review sign in, token issuance, and other account activity logs for users and services whose credentials were suspected or observed as compromised for potential malicious activity.
  • Take steps to identify the full content of the agency correspondence with compromised Microsoft accounts and perform a cybersecurity impact analysis.

CISA plans to publish a report in September chronicling the agencies' ongoing mitigation efforts.

This, of course, is not the first time Microsoft has been tied to an e-mail breach with national security ramifications. Also last year, a widespread Outlook attack conducted by Chinese hacker group Storm-0558 managed to infiltrate the e-mail accounts of over 500 individuals worldwide, including some associated with the U.S. State Department.

About the Author

Gladys Rama (@GladysRama3) is the editorial director of Converge360.


comments powered by Disqus

Subscribe on YouTube