A January breach of Microsoft’s corporate emails may have facilitated the hack of US federal agencies by a Russian hacking group.
The US Cybersecurity and Infrastructure Security Agency (CISA) today issued an alert urging these agencies to take steps to fend off the threat.
The US government is a major customer of Microsoft, and the state-sponsored Russian hacking group, called Midnight Blizzard, stole sensitive emails from Microsoft, including correspondence between the company and federal agencies. According to CISA, the stolen emails potentially contain “authentication details” such as passwords, which could be exploited to gain access to a Microsoft account belonging to a federal agency.
In a press briefing, Eric Goldstein, CISA’s Executive Assistant Director for Cybersecurity, noted that federal agencies could have exposed authentication details in the emails to Microsoft to troubleshoot an IT issue, or to address a software bug. However, including credentials or passwords in emails is also security no-no, as Goldstein also acknowledged. "That is certainly not a best practice, and one that associates with a significant degree of risk,” he added.
CISA declined to name which federal agencies are affected. There are also no indications that Midnight Blizzard have used the stolen emails to breach any US agency. Nevertheless, Microsoft is still analyzing whether any of the exposed credentials were accessed, Goldstein said.
He also said that Microsoft already warned federal agencies about the potential risk early after the company publicly disclosed the breach in January. But given the threat's severity, CISA decided to issue an emergency directive, requiring federal agencies to act.
CISA is now ordering the affected federal agencies “to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure,” it said in the alert.
The incident is another blow to Microsoft’s cybersecurity reputation. In a report earlier this month, US security officials faulted the company for a separate breach involving Chinese hackers accessing US government email accounts.
Microsoft didn’t immediately respond to a request for comment. But last month, the company disclosed that Midnight Blizzard also accessed Microsoft’s source code repositories after pilfering the corporate emails.