US says Russian hackers stole federal government emails during Microsoft cyberattack

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that Russian government-backed hackers stole emails from several U.S. federal agencies as a result of an ongoing cyberattack at Microsoft.

In a statement published Thursday, the U.S. cyber agency said the cyberattack, which Microsoft initially disclosed in January, allowed the hackers to steal federal government emails “through a successful compromise of Microsoft corporate email accounts.”

The hackers, which Microsoft calls “Midnight Blizzard,” also known as APT29, are widely believed to work for Russia’s Foreign Intelligence Service, or SVR.

“Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” said CISA.

The federal cyber agency said it issued a new emergency directive on April 2 ordering civilian government agencies to take action to secure their email accounts, based on new information that the Russian hackers were ramping up their intrusions. CISA made details of the emergency directive public on Thursday after giving affected federal agencies a week to reset passwords and secure affected systems.

CISA did not name the affected federal agencies that had emails stolen, and a spokesperson for CISA did not immediately comment when reached by TechCrunch.

News of the emergency directive was first reported by Cyberscoop last week.

The emergency directive comes as Microsoft faces increasing scrutiny of its security practices after a spate of intrusions by hackers of adversarial nations. The U.S. government is heavily reliant on the software giant for hosting government emails accounts.

Microsoft went public in January after identifying that the Russian hacking group broke into some corporate email systems, including the email accounts of “senior leadership team and employees in our cybersecurity, legal, and other functions.” Microsoft said the Russian hackers were searching for information about what Microsoft and its security teams knew about the hackers themselves. Later, the technology giant said the hackers also targeted other organizations outside of Microsoft.

Now it is known that some of those affected organizations included U.S. government agencies.

By March, Microsoft said it was continuing its efforts to expel the Russian hackers from its systems in what the company described as an “ongoing attack.” In a blog post, the company said the hackers were attempting to use “secrets” they had initially stolen in order to access other internal Microsoft systems and exfiltrate more data, such as source code.

Microsoft did not immediately comment when asked by TechCrunch on Thursday what progress the company is making in remediating the attack since March.

Earlier this month, the U.S. Cyber Safety Review Board (CSRB) concluded its investigation of an earlier 2023 breach of U.S. government emails attributed to China government-backed hackers. The CSRB, an independent body that includes representatives from government and cyber experts in the private sector, blamed a “cascade of security failures at Microsoft.” Those allowed the China-backed hackers to steal a sensitive email key that permitted broad access to both consumer and government emails.

In February, the U.S. Department of Defense notified 20,000 individuals that their personal information was exposed to the internet after a Microsoft-hosted cloud email server was left without a password for several weeks in 2023.