Government agencies shared logins over email
A cyber attack by Russian-state-sponsored hacker, Midnight Blizzard has been revealed that some government agencies shared login credentials via email.
This extensive cyber attack shows in stark reality the importance of good cybersecurity practices, but also brings to light just how often they are neglected. Research has shown that 49% of Americans don’t trust the federal government to protect their data, and with this shocking revelation, I can’t blame them.
What happened during the Midnight Blizzard attack?
The Midnight Blizzard cyber attack began in November 2023 and was eventually discovered in January 2024. In a filing with the Security and Exchange Commission about the attack, Microsoft explained that a Russian-state-backed hacker had “gained access to and exfiltrated information from a very small percentage of employee email accounts”. The accounts accessed included those from its senior leadership team, as well as employees in its cybersecurity and legal departments.
In the filing, Microsoft stated that the hacker had “used and continues to use information it obtained to gain, or attempt to gain, unauthorized access to some of the company’s source code repositories and internal systems”, but had found no evidence of compromise in any of the customer-facing systems Microsoft hosts.
An investigation by Microsoft into the cybersecurity incident revealed that the hacker had gained unauthorized access via a “legacy non-production test tenant account”.
Following the cyber attack, Microsoft said it would be overhauling its internal security practices
On April 11, the Cyber Security and Infrastructure Security Agency (CISA) issued an emergency directive regarding the hack, which explained that emails between Microsoft and some US government agencies were compromised during the hack.
The emergency directive went on to explain that some of the emails stolen by Midnight Blizzard during the cyber attack contained “authentication secrets, such as credentials or passwords”. CISA called the hack and data exfiltration, a “grave and unacceptable risk to agencies”.
Following the cyber attack, CISA has “strongly encouraged” FCEB agencies and state and local government to “apply stringent security measures, including strong passwords, multi factor authentication (MFA) and prohibited sharing of unprotected sensitive information via unsecure channels”, regardless of how heavily they were impacted by the attack against Microsoft. While the advice is warranted, it is (in my opinion) the very least these organizations should have already been doing to protect themselves against cyber attacks.
The Midnight Blizzard attack and cyber security
With the severity of the cyber attack and data exfiltration revealed, it raises some serious questions about attitudes towards cyber security. What does it say about attitudes to cyber security if government agencies in charge of matters of national security and importance aren’t practicing good cyber hygiene?
Unfortunately, cases like this data breach show all too well the importance of the cybersecurity hygiene steps we are told to take to protect ourselves and our businesses.
We all know not to take these cyber risks, yet how many of us do? There was an 108% increase in business email compromise attacks (BEC) from 2022 to 2023, meaning if any of these businesses were sharing sensitive information via email, these cyber attacks just got a lot more serious.