The US cybersecurity agency CISA has confirmed that Russian government-backed hackers have stolen emails from several US federal agencies as a result of an ongoing cyberattack on Microsoft.
In a statement released Thursday, the U.S. cyber agency said the cyberattack, which Microsoft first disclosed in January, allowed the hackers to steal federal government emails “by successfully compromising the email accounts of Microsoft Company”.
The hackers, who Microsoft calls “Midnight Blizzard,” also known as APT29, are widely believed to work for the Russian foreign intelligence agency SVR.
“Midnight Blizzard’s successful compromise of Microsoft company email accounts and exfiltration of correspondence between government agencies and Microsoft poses a serious and unacceptable risk to government agencies,” CISA said.
The federal cyber agency said it issued a new emergency directive on April 2 asking civilian government agencies to take measures to secure their email accounts, based on new information that Russian hackers were stepping up their breaches. CISA released details of the emergency directive on Thursday after giving affected federal agencies a week to reset passwords and secure affected systems.
CISA did not name the affected federal agencies whose emails were stolen, and a CISA spokesperson did not immediately comment when reached by TechCrunch.
News of the emergency directive was first reported by Cyberscoop last week.
The emergency directive comes as Microsoft faces increasing scrutiny of its security practices following a spate of breaches by hackers from rival nations. The US government relies heavily on the software giant to host government email accounts.
Microsoft went public in January after discovering that the Russian hacking group had breached some corporate email systems, including the email accounts of “senior leadership teams and employees in our cybersecurity, legal and and other functions”. Microsoft said the Russian hackers were seeking information about what Microsoft and its security teams knew about the hackers themselves. The tech giant later said that the hackers also targeted other organizations outside of Microsoft.
It is now known that the affected organizations included US government agencies.
In March, Microsoft said it was continuing its efforts to drive the Russian hackers from its systems, which the company called a “sustained attack.” In a blog post, the company explained that the hackers attempted to use “secrets” they originally stole to access other internal Microsoft systems and exfiltrate additional data, such as source code.
When asked by TechCrunch on Thursday what progress the company had made in resolving the attack since March, Microsoft did not immediately comment.
Earlier this month, the US Cyber Safety Review Board completed its investigation into an earlier breach of US government emails in 2023 that was attributed to Chinese government-backed hackers. The CSRB, an independent panel made up of government officials and private sector cyber experts, blamed a “cascade of security failures at Microsoft.” This allowed the China-backed hackers to steal a sensitive email key that allowed broad access to consumer and government emails.
In February, the US Department of Defense notified 20,000 people that their personal information was exposed online after a cloud email server hosted by Microsoft was left without a password for several weeks in 2023.