The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that Russian-backed hackers stole emails from various US federal agencies as a result of an ongoing cyberattack on Microsoft.
In a statement released Thursday, the US cyber attack agency said the cyberattack, which Microsoft first disclosed in January, allowed hackers to steal federal government emails “through a successful compromise of Microsoft’s corporate email accounts.”
The hackers, which Microsoft calls “Midnight Blizzard,” also known as APT29, are widely believed to be working for Russia’s Foreign Intelligence Service, or SVR.
“Midnight Blizzard’s successful compromise of corporate Microsoft email accounts and infiltration of correspondence between agencies and Microsoft poses a serious and unacceptable risk to companies,” CISA said.
The federal cyber agency said so issued a new urgent directive on April 2 ordered civilian government agencies to take action to secure their email accounts, based on new information that Russian hackers were stepping up their intrusions. CISA released details of the emergency directive on Thursday after giving affected federal agencies a week to reset passwords and secure affected systems.
CISA did not name the affected federal agencies whose emails were stolen, and a CISA representative did not immediately comment when reached by TechCrunch.
The news of the emergency directive was first reported by Cyberscoop last week.
The emergency directive comes as Microsoft faces increasing scrutiny of its security practices after a wave of hacks from rival countries. The US government relies heavily on the software giant to host government email accounts.
Microsoft went public in January, after finding that the Russian hacking group broke into some corporate email systems, including the email accounts of “senior leadership and employees in our cybersecurity, legal and other functions.” Microsoft said the Russian hackers were looking for information about what Microsoft and its security teams knew about the hackers themselves. The tech giant later said the hackers were targeting other organizations besides Microsoft.
It is now known that some of these affected organizations included US government agencies.
As of March, Microsoft said it was continuing its efforts to flush Russian hackers from its systems in what the company described as an “ongoing offensive.” In a blog postthe company said the hackers were trying to use “secrets” they had originally stolen to gain access to other internal Microsoft systems and infiltrate more data, such as source code.
Microsoft did not immediately comment when asked by TechCrunch on Thursday what progress the company was making in remediating the attack since March.
Earlier this month, the US Cyber Security Review Board (CSRB) completed her research of a previous breach of US government emails in 2023 attributed to Chinese government-backed hackers. The CSRB, an independent body that includes representatives from government and private sector cyber experts, blamed a “cascade of security failures at Microsoft”. These allowed Chinese-backed hackers to steal a sensitive email key that allowed broad access to both consumer email and government messages.
In February, the US Department of Defense notified 20,000 people that their personal information was exposed online after a Microsoft-hosted cloud email server was left without a password for several weeks in 2023.
