CISA: Email from federal agencies possibly accessed in Russian breach of Microsoft

A Russian state-backed hacking group may have accessed emails from federal agencies as part of a larger breach of Microsoft corporate email accounts.

The Cybersecurity and Infrastructure Security Agency (CISA) publicly released on Thursday an emergency directive originally issued to federal agencies on April 2 and first covered by CyberScoop on April 4. 

The document describes how federal agencies could have been affected by an intrusion Microsoft reported in January, and it directs them to take steps to secure accounts.

In that incident, the Russian hacking group Microsoft calls Midnight Blizzard abused a popular authentication tool to gain access to the email accounts of senior executives at the company. The group, also known as APT29 and Cozy Bear, is associated with Russia’s Foreign Intelligence Service (SVR).

CISA confirmed on Thursday that the incident “potentially” allowed the hackers to access “correspondence with Federal Civilian Executive Branch (FCEB) agencies” which may have contained authentication details or credentials. 

On a call with reporters, CISA executive assistant director for cybersecurity Eric Goldstein said the agency is "not aware of any agency production environments that have experienced a compromise as a result of credential exposure."

Goldstein declined to say how many agencies had emails accessed.

Both CISA and Microsoft have notified all of the federal agencies that had emails exfiltrated by the Russian hackers, the agency said in the advisory. 

“In addition, Microsoft has represented to CISA that for the subset of affected agencies whose exfiltrated emails contain authentication secrets, such as credentials or passwords, Microsoft will provide metadata for such emails to those agencies,” CISA said in the directive.

“Finally, Microsoft has agreed to provide metadata for all exfiltrated federal agency correspondence — regardless of the presence of authentication secrets — upon the request of the National Cyber Investigative Joint Task Force (NCIJTF), which has volunteered to be the single federal point of contact for this incident.”

Checklist for agencies

CISA has ordered all FCEB agencies to analyze potentially affected emails, reset compromised credentials and secure privileged Microsoft Azure accounts in response to the group’s continued attempts to gain “additional access to Microsoft customer systems.”

Microsoft said Midnight Blizzard has “increased the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold in February, compared to an already large volume seen in January 2024.”

CISA said it released the directive because the compromise and exfiltration of correspondence between agencies and Microsoft “presents a grave and unacceptable risk to agencies.”

Agencies affected need to complete all of the actions CISA outlined in the directive by April 30. CISA required status updates on April 8 and wants another round by May 1. CISA plans to send a report on the incident to the director of the Office of Management and Budget, the secretary of Homeland Security and the Office of the National Cyber Director by September 1. 

CISA noted that while the directive only applies to federal agencies, other organizations may also have been impacted by the email theft and should contact Microsoft. 

Familiar foes

CISA Director Jen Easterly said the immediate actions necessitated by the directive are designed to “reduce risk to our federal systems.”

“For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity,” she added. 

In a March update to the blog post in January, Microsoft explained that Midnight Blizzard attempted to use what it stole to gain access to the company’s source code repositories and internal systems.

Midnight Blizzard, Microsoft said, may be “using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so.”

Midnight Blizzard, which Microsoft used to call Nobelium, is well known for its 2020 attack on tech company SolarWinds, which gave it widespread access to several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, State Department and other parts of the U.S. government.

Microsoft is still reeling from a scathing Department of Homeland Security report released last week that criticized the company for not only failing to adequately protect systems used widely by the U.S. government but for also refusing to provide certain information to federal agencies that had information stolen. 

The report mentions the Russian email theft as another example of the need for Microsoft to make wholesale changes to its security apparatus.