The U.S. Department of Veterans Affairs and a division of the U.S. State Department are among a growing list of Microsoft Corp. customers have acknowledged they were affected by a breach at the technology giant blamed on Russian state-sponsored hackers.
The US Agency for Global MediaA part of the U.S. State Department that provides news and information in countries where the press is restricted was notified by Microsoft “a few months ago” that some of its data may have been stolen, a spokesman said in an emailed statement. No security-related or personally identifiable sensitive data was compromised, the spokesman said.
The agency is working closely with the Department of Homeland Security on the incident, the spokesman said, declining to answer further questions. A State Department spokesman said: “We are aware that Microsoft is contacting affected and unaffected agencies in the spirit of transparency.”
Microsoft announced in January that a Russian hacker group called Midnight Blizzard had accessed corporate email accounts and later warned that they were trying to exploit secrets exchanged between the technology giant and its customers. The company has refused to name the affected customers.
“As part of our investigation, we have contacted customers to let them know if they have corresponded with a Microsoft corporate email account that was accessed,” a Microsoft spokesperson said Wednesday. “We will continue to coordinate, support, and assist our customers in taking mitigation actions.”
In addition, the U.S. Department of Veterans Affairs was notified in March that it was affected by the Microsoft vulnerability, agency officials said.
A one-second break-in
The hackers used a single set of stolen credentials – found in the emails they accessed – to break into a test environment in the VA’s Microsoft cloud account around January, officials said, adding that the breach took one second. Midnight Blizzard likely wanted to verify that the credentials were valid, presumably with the larger intent of breaking into the VA’s network, officials said.
The agency changed the exposed credentials and the login credentials in its Microsoft environments after it was notified of the breach, officials said. After reviewing the emails accessed by the hackers, the VA determined that no other credentials or confidential emails were stolen, officials said.
Terrence Hayes, VA spokesman, said an investigation is underway to determine further impacts.
According to a statement from the press office, the Peace Corps was also contacted by Microsoft and informed of the Midnight Blizzard security breach. “Based on this notification, Peace Corps technical staff were able to resolve the security vulnerability,” the agency said. The Peace Corps declined further comment.
Bloomberg News has reached out to other federal agencies for comment, but none of the other agencies said they had been affected by Midnight Blizzard’s attack on Microsoft. Bloomberg previously reported that more than a dozen Texas agencies and public universities were at risk from the Russian hack.
Midnight Blizzard, also known in cybersecurity circles as “Cozy Bear” and “APT29,” is part of Russia’s foreign intelligence service, according to U.S. and British authorities.
In April, US federal authorities were ordered to analyze emails, reset compromised passwords, and work to secure Microsoft cloud accounts amid concerns that Midnight Blizzard may have accessed the correspondence. Microsoft notified some customers in the months that followed that their emails with the tech giant had been accessed by the Russian hackers.
The Midnight Blizzard attack was one of several high-profile and serious security breaches at the Redmond, Washington-based technology company that drew strong condemnation from the U.S. government. Microsoft President Brad Smith appeared before Congress last month, where he admitted to security breaches and promised to improve the company’s operations.