Kremlin-backed agents who accessed sensitive Microsoft systems in January using brute-force password-guessing techniques successfully exfiltrated email correspondence from federal civilian agencies, the Cybersecurity and Infrastructure Security Agency said Thursday.
The software giant issued an alert in the group, dubbed Midnight Blizzard by industry security researchers, near the beginning of the year. The hackers, linked to Russia's Foreign Intelligence Service, are using data "initially extracted from corporate email systems, including authentication details shared between Microsoft and Microsoft customers via email, to obtain, or attempt to obtain , additional access to Microsoft customer systems." CISA said in the emergency directive.
CISA said the company will provide the necessary metadata on the compromised emails to the affected agencies, as well as metadata on all stolen correspondence from the agencies. CyberScoop first reported about the directive last week, citing three government officials familiar with the matter.
โAs we share in our March 8 blog, as we uncover secrets in our exfiltrated email, we work with our customers to help them investigate and mitigate. โThis includes working with CISA on an emergency directive to provide guidance to government agencies,โ a company spokesperson said. Nextgov/FCW.
"Midnight Blizzard's successful compromise of Microsoft corporate email accounts and exfiltration of correspondence between agencies and Microsoft presents a serious and unacceptable risk to agencies," CISA said, advising agencies to analyze the content of the emails. exfiltrated emails, reset credentials, and ensure your Microsoft authentication. the tools are safe.
The company has already been criticized for what a DHS assessment last week said was a lax culture that enabled a high-profile Chinese state-backed cyberattack last year, where hackers accessed the Microsoft email accounts of senior government officials.
"While this second intrusion was outside the scope of the Board's current review, the Board is concerned that this new incident occurred months after the Exchange Online compromise covered in this review," the Cybersecurity Review Board wrote. in last week's conclusions, referring to the Midnight Blizzard incident.
"This additional intrusion highlights the Board's concern that Microsoft has not yet implemented the security governance or prioritization necessary to address apparent security weaknesses and control failures within its environment and to prevent similar incidents in the future," it added. .
Midnight Blizzard is linked to numerous high-profile cyber incidents, including the one in 2020 Solar Wind Hacking and 2016 Democratic National Committee hack.
