Federal government affected by Russian breach of Microsoft

U.S. cybersecurity officials issued an emergency directive this week to address a breach by Russian operatives of Microsoft first disclosed in January.
The Microsoft logo is seen at an Experience Center on Fifth Avenue on April 3, 2024, in New York City. (Photo by Michael M. Santiago/Getty Images)

The Cybersecurity and Infrastructure Security Agency issued an emergency directive this week to address the impact on federal agencies from a breach of Microsoft carried out by a hacking unit linked to Russia’s foreign intelligence agency, according to three government officials familiar with the matter. 

In a briefing Tuesday, CISA executives discussed with federal officials an operation believed to have been carried out by the hacking group known as Midnight Blizzard and discussed the directive.

“CISA continues to provide guidance to Federal Civilian Executive Branch agencies regarding actions to secure accounts potentially placed at risk through the Midnight Blizzard campaign disclosed by Microsoft in January 2024,” Scott McConnell, a spokesperson for the agency, told Scoop News Group on Wednesday. “We are working closely with Microsoft to understand the risks to federal agencies and the broader ecosystem in order to provide necessary guidance and information.”

The emergency directive, dated April 2, has been issued to federal agencies but has not yet been made public. Scoop News Group viewed a summary of the directive, which is focused on mitigating activity related to Midnight Blizzard.


The emergency directive is the latest indication of the growing impact of the Russian operation. When Microsoft first disclosed the operation in January, the company said Russian operatives had succeeded in accessing emails belonging to senior company executives. In March, the company said the breach was more severe than initially understood and that Russian operatives had also succeeded in accessing Microsoft source code. 

According to Microsoft’s accounting of events, Midnight Blizzard is attempting to use “secrets” that “were shared between customers and Microsoft” in email messages obtained by the hackers. “As we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures,” Microsoft wrote in its March blog post.  

In response to Scoop News Group questions Thursday, Microsoft said that as the company discovers “secrets in our exfiltrated email we are working with our customers to help them investigate and mitigate any impacts. This includes working with CISA on an emergency directive to provide guidance to government agencies.” 

The emergency directive comes amid growing concerns in Washington about Microsoft’s security posture and the impact on the federal government in a string of breaches targeting the company that have been carried out by both Russian and Chinese hackers. 

In a report published Tuesday examining the theft of a Microsoft signing key by a Chinese hacking crew, the Cyber Safety Review Board leveled scathing criticism at the company for what it described as “a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”


CSRB’s report focused on a Chinese attack on a Microsoft email system known as Exchange Online but also made note of the more recent operation carried out by Midnight Blizzard that is the subject of this week’s emergency directive. 

“While this second intrusion was outside of the scope of the Board’s current review, the Board is troubled that this new incident occurred months after the Exchange Online compromise covered in this review,” the board wrote. “This additional intrusion highlights the Board’s concern that Microsoft has not yet implemented the necessary governance or prioritization of security to address the apparent security weaknesses and control failures within its environment and to prevent similar incidents in the future.”

Midnight Blizzard is Microsoft’s name for a Russian state-sponsored hacking unit that the U.S. and U.K. governments have said works under the Foreign Intelligence Service of the Russian Federation (SVR). Also tracked as APT29, the Dukes, or Cozy Bear, the cyberespionage-focused group is perhaps best known for the 2015 and 2016 hack of the Democratic National Committee, as well as the 2020 SolarWinds attack, which netted the hackers access to multiple federal agencies’ networks and email systems.

The group is “extremely prolific” in targeting entities around the world, according to a 2022 Mandiant report, which noted the group’s “exceptional operational security and advanced tactics targeting Microsoft365.”

Madison Alder contributed reporting.

Latest Podcasts