Email from US federal agencies may have been accessed in Russian breach of Microsoft

A suspected Russian state-sponsored hacking collective may have obtained access to emails from federal agencies as part of a broader breach of Microsoft corporate email accounts.

The Cybersecurity and Infrastructure Security Agency (CISA) publicly disclosed an emergency directive on Thursday, initially issued to federal agencies on April 2 and initially reported by CyberScoop on April 4.

The directive outlines potential impacts on federal agencies stemming from an intrusion reported by Microsoft in January, instructing them to take measures to secure their accounts.

In this particular incident, the Russian hacking group identified by Microsoft as Midnight Blizzard exploited a widely used authentication tool to infiltrate the email accounts of senior executives within the company. This group, also referred to as APT29 and Cozy Bear, has ties to Russia’s Foreign Intelligence Service (SVR).

In response to the ongoing efforts by the group to gain “additional access to Microsoft customer systems,” CISA has mandated all FCEB agencies to scrutinize potentially impacted emails, reset compromised credentials, and fortify privileged Microsoft Azure accounts.

On Thursday, CISA verified that the incident “potentially” enabled the hackers to reach “communications with Federal Civilian Executive Branch (FCEB) agencies,” potentially containing authentication information or credentials.

During a briefing with journalists, Eric Goldstein, CISA’s executive assistant director for cybersecurity, stated that the agency is “unaware of any agency operational environments compromised due to credential exposure.” Goldstein refrained from specifying the number of agencies whose emails were accessed.

According to the advisory, both CISA and Microsoft have informed all federal agencies whose emails were illicitly accessed by the Russian hackers.