CISA Confirms Midnight Blizzard’s Breach Exposed Gov Emails: Microsoft’s Security Response
Midnight blizzard compromised Microsoft email accounts. Photo by FlyD on Unsplash.
Key Takeaways
- CISA has confirmed government agencies were compromised by a Russian cybersecurity threat.
- The state-sponsored hackers, known as Midnight Blizzard, used a password spray attack to exploit Microsoft’s internal systems.
- Communications between Microsoft and several civilian government agencies were breached.
The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that government agencies were affected by Midnight Blizzard’s attacks on Microsoft corporate email systems.
The security breach “presents a grave and unacceptable risk to agencies,” CISA stated in an emergency directive. The directive, dated April 2, was only disclosed on April 12th.
Government Emails Compromised by Russian Hackers
Microsoft initially revealed that its email systems had been breached by Midnight Blizzard in January. However, it didn’t disclose which organizations were affected.
Following several updates, CISA recently confirmed that the “Russian state-sponsored cyber actor,” had successfully infiltrated email correspondence between Microsoft and various civilian Federal agencies.
As a result of the attack, CISA has ordered all affected agencies to analyze the content of leaked emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.
CCN reached out to Microsoft for comments but the company had not responded at the time of writing.
The Origins of Midnight Blizzard
Microsoft first publicly identified a nation-state cyber threat designated as NOBELIUM in 2020.
Although it didn’t immediately name Russia as the source of the attacks, the firm acknowledged that a shadowy entity had been targeting American organizations to further its geopolitical interests.
The company described a sophisticated hacking operation that had successfully breached the systems of world-class companies with strong security teams.
Since April 2023, Microsoft Threat Intelligence has shifted to a new threat actor naming scheme aligned around the theme of weather. As such, NOBELIUM was reclassified as Midnight Blizzard.
While the name may have changed, over the years, Midnight Blizzard has remained a persistent threat, using a range of techniques to conduct espionage and steal secrets.
Some of its most well-known campaigns include the TEARDROP malware and a supply chain attack that trojanized the SolarWinds Orion business software.
Midnight Blizzard Snooping Into its Investigators
In November 2023, Midnight Blizzard used a password spray attack to compromise a legacy internal test account and gain a foothold. From there, hackers used the account’s permissions to access several Microsoft corporate email accounts, including members of its senior leadership and cybersecurity teams.
Microsoft’s investigation into the incident revealed that the attackers were initially targeting email accounts for information related to Midnight Blizzard itself.
Following the initial success of the strategy, Midnight Blizzard appears to have ramped up the operation, with the number of password sprays multiplying tenfold in February.
What is Password Spraying?
Password spraying is a cyberattack tactic that involves using a single password to try and break into multiple target accounts.
Often relying on old-school guesswork to compromise accounts, password spray attacks are pretty low-tech by Midnight Blizzard’s standards. The fact that the strategy paid off points to a general complacency about cybersecurity that many people can be guilty of.
