CISA: Russian Hackers Putting Government Agencies At “Grave Risk”

Emails sent at federal government agencies were among those compromised in an ongoing cyber-attack against Microsoft. The attack is blamed on a group of hackers backed by the Russian government and known by the name “Midnight Blizzard.”

The hackers used brute-force password guessing techniques to successfully exfiltrate correspondence from several federal agencies.

The stolen emails prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a rare emergency directive on the attack, noting that the hackers present a “grave and unacceptable risk to agencies.”

In the directive, CISA writes that Midnight Blizzard is still using stolen information such as authentication details and tokens to try and gain additional access to Microsoft’s computer systems. Microsoft’s programs, including its email program Outlook, are widely used throughout the federal government.

Under the emergency directive, agencies were ordered to take “steps to identify the full content of the agency correspondence with compromised Microsoft accounts and perform a cybersecurity impact analysis,” reset compromised credentials and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure. 

“For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity,” CISA Director Jen Easterly said in a press release.

Microsoft in the Crosshairs

Microsoft first disclosed the Midnight Blizzard attack in January, saying that Russian hackers broke into some corporate email systems.

In March, Microsoft said efforts to expel the hackers were continuing and that the hackers were attempting to use stolen information to access other Microsoft internal systems and steal more data.  

And news of the emergency directive comes just a week after Microsoft was criticized by the Cyber Safety Review Board (CSRB) for a “lax culture” on security that contributed to a 2023 hack by a Chinese government backed group.

This latest hacking group is believed to be associated with Russian military intelligence agency SVR, the same group linked to the 2020 SolarWinds attack and efforts to hack into Democratic National Committee computers in 2016.