US Government Impacted In Microsoft Breach By Midnight Blizzard: Report

In a statement provided to CRN, Microsoft confirmed that it has been working with CISA on an emergency directive related to the threat.

The U.S. federal government has been impacted by a Russian state-sponsored hacker group, known as Midnight Blizzard, in connection with the threat actor’s breach of Microsoft executive accounts disclosed in January, according to a report Thursday.

The report from Scoop News Group indicated that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive this week to federal agencies, which came in response to an unspecified impact on the U.S. government related to the Midnight Blizzard attack against Microsoft.

In a statement provided to CRN Thursday, Microsoft confirmed it has been working with CISA on the emergency directive related to the Midnight Blizzard threat to the federal government.

“As shared in our March 8 blog, as we discover secrets in our exfiltrated email we are working with our customers to help them investigate and mitigate any impacts,” Microsoft said in the statement. “This includes working with CISA on an emergency directive to provide guidance to government agencies.”

CRN has reached out to CISA for comment.

Microsoft initially disclosed Jan. 19 that Midnight Blizzard, which has been associated with Russia’s SVR foreign intelligence unit, was able to steal emails from members of its senior leadership team as well as from employees on its cybersecurity and legal teams. The attack began in late November, the company has said.

In an update on the incident in early March, Microsoft disclosed that Midnight Blizzard had been observed continuing to seek to exploit information gathered in the attack.

As of this writing, the CISA emergency directive has not been made public. A CISA spokesperson reportedly told Scoop News Group that “CISA continues to provide guidance to Federal Civilian Executive Branch agencies regarding actions to secure accounts potentially placed at risk through the Midnight Blizzard campaign disclosed by Microsoft in January 2024.”

“We are working closely with Microsoft to understand the risks to federal agencies and the broader ecosystem in order to provide necessary guidance and information,” the CISA spokesperson said, according to the report.

In its March update, Microsoft said it had seen a recent surge in the activity by Midnight Blizzard. It has been “apparent that Midnight Blizzard is attempting to use secrets of different types it has found,” Microsoft said in the post.

The company noted that “some of these secrets were shared between customers and Microsoft in email.” A Microsoft representative clarified that the “secrets” referenced in the post consist of cryptographic secrets such as passwords, credentials, certificates and keys.

Microsoft said in March that it had “seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access.”

“This has included access to some of the company’s source code repositories and internal systems,” Microsoft said.

According to the Scoop News Group report, the CISA emergency directive is geared toward mitigation of malicious activities by Midnight Blizzard.

The disclosure follows this week’s blistering report about Microsoft’s security culture and practices issued by the U.S. Homeland Security-appointed Cyber Safety Review Board. The board released a 34-page report on last year’s Microsoft Exchange Online breach, which was linked to China and impacted multiple federal agencies and officials including Commerce Secretary Gina Raimondo. The review board pinned the cloud email breach on a “cascade of Microsoft’s avoidable errors.”