Midnight Blizzard Targets US Government in Microsoft Hack

The US Cybersecurity and Infrastructure Security Agency (CISA) revealed that a Russian hacker group known as Midnight Blizzard infiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft, following a successful breach of several Microsoft corporate email accounts. The agency’s announcement comes after Microsoft disclosed the hack in January.

According to CISA, the threat actors accessed the information by exfiltrating corporate email data, including authentication details shared between Microsoft customers and the company via email. This allowed them to gain, or attempt to gain, further access to Microsoft customer systems.

In an emergency directive issued on Thursday, April 11, CISA described the compromise as a "grave and unacceptable risk" to the affected agencies and emphasized the urgency of addressing the situation.

Following Microsoft's report in January, which revealed that a Moscow-sponsored hacker group had stolen emails and attached documents and accessed some of the company's source code repositories and internal systems since November 2023, as reported by the Kyiv Post, the US Cybersecurity and Infrastructure Security Agency (CISA) made an announcement.

However, CISA did not specify the extent of the damage or the type of information Midnight Blizzard extracted, but it noted that both the agency and Microsoft had informed the impacted parties.

"CISA's Emergency Directive requires agencies to examine the content of the compromised emails, reset compromised credentials, and take additional measures to secure authentication tools for privileged Microsoft Azure accounts," the agency stated.

Microsoft previously identified the group as Midnight Blizzard, a Russian state-sponsored actor known by other names such as Nobelium and Cozy Bear, and linked to Russia’s Foreign Intelligence Service (SVR), according to a June 2022 Microsoft cybersecurity report on Ukraine.

In January, Microsoft stated that the group initially targeted email accounts for information related to Midnight Blizzard. The hacker group is believed to have employed password-spraying attacks, using commonly used passwords across multiple accounts in brute-force attempts. Midnight Blizzard was also responsible for the high-profile 2020 SolarWinds hack, which compromised several US federal agencies.

The U.S. Department of State is looking into claims of a cyber incident following the leak of documents reportedly stolen from a government contractor. The company, Acuity, alleged to have been breached, is a technology consulting firm with nearly 400 employees and annual revenue exceeding $100 million.

It offers services such as DevSecOps, IT operations and modernization, cybersecurity, data analytics, and operations support to federal civilian national security clients. "The Department is aware of reports of a cyber incident and is currently investigating," a State Department spokesperson told BleepingComputer.

"The Department is committed to protecting its information and continually works to enhance its cybersecurity measures. For security reasons, we cannot share specific details regarding the nature and scope of the claim."

The threat actor, known as IntelBroker, claims that the files contain classified information from the Five Eyes intelligence alliance. According to their assertions, the leaked data includes full names, emails, office numbers, personal cell numbers, and email addresses of government, military, and Pentagon employees.

"This data was acquired by breaching Acuity Inc, a company that works closely with the US government and its allies." Since December, IntelBroker has been releasing data it claims to have stolen from various government agencies, including ICE, USCIS, the Department of Defense, and the U.S. Army.