Microsoft Tells More Clients Russian Hackers Viewed Emails

(Bloomberg) -- Microsoft Corp. is informing additional customers that emails they exchanged with the technology giant were accessed by Russian hackers, a sign that a previously reported state-sponsored breach has had wider repercussions than initially thought.

In January, Microsoft disclosed that hackers had stolen senior leaders’ emails that they were using to try to break into customers’ communications, including those of government agencies. The company blamed the attack on a group, which it calls “Midnight Blizzard,” that US and UK authorities have said is part of the Russian Foreign Intelligence Service. 

While trawling through Microsoft executives’ emails, the hackers found messages exchanged with other companies and organizations, and Microsoft is now notifying customers which of their emails were accessed, the spokesperson said. Some of these customers had received prior notice from Microsoft that they were impacted, while others are hearing for the first time now that Microsoft has had more time to assess the damage. The company declined to say which customers were receiving notices. 

“This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor,” according to a statement from a Microsoft spokesperson. “This is increased detail for customers who have already been notified and also includes new notifications.”

In email notifications reviewed by Bloomberg News, Microsoft gave clients a link through which they could designate someone to review the compromised messages in a custom-built, secure system.

“You are receiving this notification because emails were exchanged between Microsoft and accounts in your organization, and those emails were accessed by the threat actor Midnight Blizzard as part of their cyberattack on Microsoft,” the email states. It prompted concern among some Microsoft customers, who took to the social media site Reddit looking for guidance on whether the message was a phishing attempt.

The hack is the latest in a series of high-profile and damaging security failures by the Redmond, Washington-based software giant, which is now contending with strong condemnation by the US government. In April, the US government issued a scathing report that criticized Microsoft for having an “inadequate” security culture and cited Midnight Blizzard as evidence that the company hadn’t yet fixed the problem. 

Microsoft is in the middle of the biggest security overhaul in decades. Earlier this month, Microsoft President Brad Smith appeared contrite at a hearing of the House Committee on Homeland Security on the issues, saying the company took full responsibility for its lapses. 

The full scope of who was affected by the Midnight Blizzard attack on Microsoft remains unclear. But in April, US federal agencies were ordered to analyze emails, reset compromised credentials and work to secure Microsoft cloud accounts amid concerns that the hackers may have accessed correspondence.

The US Cybersecurity and Infrastructure Security Agency, which issued the emergency directive, said the hack of Microsoft represents a “grave and unacceptable risk” to government agencies.

Representatives for CISA didn’t immediately respond to requests for comment Thursday on Microsoft’s new notifications for clients. 

Midnight Blizzard, which is also known as APT29 and Cozy Bear, is the same hacking outfit that the US and UK said was responsible for the 2021 for the cyberattack on SolarWinds Corp. 

In the SolarWinds attack, malicious code was inserted in a software update that allowed the intruders to gain further access to customers. In all, about 100 companies and nine federal agencies were targeted for further attacks.

(Updates with additional details starting in the fourth paragraph.)

More stories like this are available on bloomberg.com

©2024 Bloomberg L.P.