CISA: Russian Hackers Stole Emails Between U.S. Agencies and Microsoft – Source: securityboulevard.com

Russian state-sponsored hackers who broke into Microsoft’s corporate email accounts during the monthslong hack stole email messages between the enterprise software giant and a number of U.S. federal agencies, adding to an ongoing series of revelations about the attack.

The Midnight Blizzard group is using information taken from the corporate email systems, such as authentication details in emails between Microsoft and some of its customers, to gain access to customer systems, CISA said in an emergency directive issued earlier this month.

The directive also orders agencies affected by the breach – those agencies whose correspondence was exfiltrated by Midnight Blizzard – to take steps to address the risk from the attack, which started in November 2023 but was not detected by Microsoft until January. Those steps include remediating tokens, passwords, API keys, or similar authentication credentials that were or may have been compromised.

If the agencies find authentication compromises, they have until April 30 to reset credentials for those applications and deactivate any that the agencies no longer use. In addition, they must scour sign-in, token issuances, and other account activity logs for user sand services whose credentials were compromised to determine there is malicious activity.

They also need to run a cybersecurity impact analysis on all agency correspondence with compromised Microsoft accounts.

‘A Grave and Unacceptable Risk’

“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA wrote. “This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.”

For those agencies whose stolen correspondence included authentication secrets, Microsoft is providing metadata for the emails to the agencies.

The fallout from the hack by Midnight Blizzard – an advanced persistent threat (APT) group linked to the Russian Foreign Intelligence Service (SVR) and also known as Nobelium, Cozy Bear, and APT29 – has continued since January, with the hackers continuing to run their campaign in the following months.

“According to Microsoft, Midnight Blizzard has increased the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold in February, compared to an already large volume seen in January 2024,” CISA wrote.

On Ongoing Campaign

Microsoft officials last month said that the attackers used stolen information to access the software maker’s source code repositories and other internal systems. While the Microsoft Security Response Center (MSRC) said then that there was “no evidence that Microsoft-hosted customer-facing systems have been compromised,” the ongoing revelations continue to be problem.

The MSRC’s assessment in March rings true a month later.

“It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found,” the MSRC wrote in a blog post. “Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”

Microsoft described the ongoing attack as a “sustained commitment” by the threat group and suggested it was using the stolen information to put together a map of areas to attack and to improve its ability to do so.

Email Accounts Compromised

Midnight Blizzard – which also was responsible for the high-profile supply-chain attack on software maker SolarWinds in 2020 – used a password spray attack that compromised a legacy non-production test tenant account to gain a foothold int the environment. From there, the hackers used the account’s permissions to access a small percentage of Microsoft’s corporate email accounts, including those of senior leaders and employees within its cybersecurity, legal, and other departments, the company said in a filing with the Securities and Exchange Commission (SEC).

The company said later that the compromised test account did not have multifactor authentication enabled, making it easier for the attackers to access Microsoft systems.

Other Attacks

Around the same time that Microsoft disclosed the attack, IT vendor Hewlett Packard Enterprise said in a SEC filing that the same group had broken into its cloud-based email environment, accessing and stealing data “from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”

The attack by Midnight Blizzard came months after another embarrassing attack, this one by a Chinese-linked ATP threat group, Storm-0558, which stole a Microsoft signing key and hacked its way into Microsoft 365 and Exchange Online accounts, stealing email from about two dozen U.S. government organizations as well as corporate accounts.

Microsoft’s cybersecurity practices were harshly criticized by CISA’s Cyber Security Review Board and from members of Congress. Senator Ron Wyden (D-OR), in a letter, urged government enforcement agencies – including CISA, the Justice Department, and the Federal Trade Commission – to hold the software maker responsible for the breach, which he said was due to Microsoft’s “negligent cybersecurity practices.”