The U.S. Department of Veterans Affairs and a branch of the U.S. State Department are among a growing list of Microsoft Corp. customers that have acknowledged being affected by a breach the tech giant blamed on Russian state-sponsored hackers.
THE American Agency for Global MediaMicrosoft, which is part of the State Department and provides information to countries with press restrictions, was notified “a few months ago” by Microsoft that some of its data may have been stolen, a spokesperson said in an emailed statement. No sensitive security or personally identifiable data was compromised, the spokesperson said.
The agency is working closely with the Department of Homeland Security on the incident, the spokesman said, declining to answer further questions. A State Department spokesman said, “We understand that Microsoft is reaching out to affected and unaffected agencies in the spirit of transparency.”
Microsoft revealed in January that a Russian hacking group called Midnight Blizzard had accessed corporate email accounts and warned later They reportedly attempted to use secrets shared between the tech giant and its customers. The company declined to identify the affected customers.
“As our investigation continues, we have reached out to customers to let them know if they corresponded with a Microsoft corporate email account that was accessed,” a Microsoft spokesperson said Wednesday. “We will continue to coordinate, support, and help our customers take mitigation actions.”
Additionally, the Department of Veterans Affairs was notified in March that it had been affected by the Microsoft data breach, agency officials said.
A one-second intrusion
The hackers used a single set of stolen credentials — found in emails they accessed — to break into a test environment of the VA’s Microsoft Cloud account around January, officials said, adding that the intrusion lasted a second. Midnight Blizzard likely intended to test whether the credentials were valid, likely with the broader intent of breaking into the VA’s network, officials said.
The agency changed the exposed credentials, as well as login information across all of its Microsoft environments, once it was notified of the breach, they said. After reviewing the emails accessed by the hackers, the VA determined that no additional credentials or sensitive emails were stolen, officials said.
Terrence Hayes, VA press secretary, said an investigation is continuing to determine any additional impact.
According to a statement from its press office, Microsoft also contacted the Peace Corps, which was notified of the Midnight Blizzard security flaw. “Based on this notification, Peace Corps technical staff were able to mitigate the vulnerability,” the agency said. The Peace Corps declined to comment further.
Bloomberg News reached out to other federal agencies for comment, and none disclosed that they were affected by Midnight Blizzard’s attack on Microsoft. Bloomberg previously reported that more than a dozen Texas state agencies and public universities were exposed by the Russian hack.
Midnight Blizzard, also known in cybersecurity circles as “Cozy Bear” and “APT29,” is part of Russia’s foreign intelligence service, according to U.S. and British authorities.
In April, U.S. federal agencies have been ordered to scan emails, reset compromised passwords and work to secure Microsoft cloud accounts, amid concerns that Midnight Blizzard may have accessed the correspondence. Microsoft informed some customers in the months that followed that their emails with the tech giant had been accessed by the Russian hackers.
The Midnight Blizzard security breach is part of a series of high-profile and damaging security breaches at the Redmond, Washington-based tech company that have drawn strong condemnation from the U.S. government. Microsoft President Brad Smith appeared before Congress last month, where he acknowledged the security flaws and pledged to improve the company’s operations.