CISA warns Microsoft email breach may lead to hacks at other agencies
The U.S. government said Thursday that Russian government hackers who recently stole Microsoft corporate emails had obtained passwords and other secret material that might allow them to breach multiple U.S. agencies.
The Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, on Tuesday issued a rare binding directive to an undisclosed number of agencies requiring them to change any log-ins that were taken and investigate what else might be at risk. The directive was made public Thursday, after recipients had begun shoring up their defenses.
The “successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA wrote. “This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.”
Microsoft’s Windows operating system, Outlook email and other software are used throughout the U.S. government, giving the Redmond, Wash.-based company enormous responsibility for the cybersecurity of federal employees and their work. But the longtime relationship is showing increasing signs of strain.
Tuesday’s warning expands the possible fallout from a breach that Microsoft disclosed in January to the government as well as major corporate customers, including some who resell Microsoft products to others. The software giant said a month ago that the hackers might be going after those it emailed with.
CISA officials told reporters it is so far unclear whether the hackers, associated with Russian military intelligence agency SVR, had obtained anything from the exposed agencies. Microsoft calls the hacking group Midnight Blizzard, while other security experts call it Cozy Bear or APT29.
The officials declined to say how many agencies received the warning, noting that the company was still determining what had happened and could find more government targets.
CISA did not spell out the extent of any risks to national interests. But Eric Goldstein, executive assistant director for cybersecurity, said that “the potential for exposure of federal authentication credentials to the Midnight Blizzard actor does pose an exigent risk to the federal enterprise, hence the need for this directive and the actions therein.”
The SVR team believed responsible for the breach is one of the most formidable hacking groups in the world and often conducts sophisticated and long-running penetrations of strategic targets. It was responsible for the attack that backdoored network software from SolarWinds in 2020, allowing its hackers to burrow into nine federal agencies, and is believed to have been one of the Russian entities behind the hack of Democratic National Committee computers during the 2016 presidential campaign.
It remains unclear how the hackers were able to get into the email accounts of senior executives at Microsoft. But the breach is one of a few severe intrusions at the company that have exposed many others elsewhere to potential hacking.
Another of those incidents — in which Chinese government hackers cracked security in Microsoft’s cloud software offerings to steal email from State Department and Commerce Department officials — triggered a major federal review that last week called on the company to overhaul its culture, which the Cyber Safety Review Board cited as allowing a “cascade of avoidable errors.”
