The US Cybersecurity and Infrastructure Security Agency (CISA) said a Russian hacker group known as Midnight Blizzard “exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft” after successfully compromising a number of Microsoft corporate email accounts.
“The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems.
JOIN US ON TELEGRAM
Follow our coverage of the war on the @Kyivpost_official.
“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” read a CISA emergency directive on Thursday, April 11.
The announcement followed Microsoft’s report in January that a Moscow-sponsored hacker group “exfiltrated some emails and attached documents” and “access to some of the company’s source code repositories and internal systems” since November 2023, as reported by Kyiv Post.
CISA did not disclose the level of damage and the nature of the information Midnight Blizzard managed to exfiltrate, but it said both the agency and Microsoft has notified the agencies affected and CISA is now requiring the agencies to review and step up security measures.
Ukraine Fires First Long-Range US Missiles into Russia, Kremlin Vows Response
“This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure,” said CISA.
Microsoft previously identified the group as Midnight Blizzard, a Russian state-sponsored actor also known as Nobelium and Cozy Bear, which is associated with Russia’s Foreign Intelligence Service (SVR), according to a Microsoft cybersecurity report on Ukraine from June 2022.
The company’s January announcement said the group was “initially targeting email accounts for information related to Midnight Blizzard itself.”
It is believed the group has been utilizing password-spraying attacks in which the same, commonly used passwords were used on multiple accounts in brute-force attacks.
Midnight Blizzard was also the group behind the 2020 SolarWinds hack, in which multiple US federal agencies were compromised.
You can also highlight the text and press Ctrl + Enter