Government says Veterans Affairs and State Departments were swept up in Russian-backed Microsoft hack

The US Agency for Global Media, part of the State Department that provides news and information in countries where the press is restricted, was notified “a couple months ago” by Microsoft that some of its data may have been stolen, a spokesperson said in an emailed statement. No security or personally identifiable sensitive data was compromised, the spokesperson said.

The agency is working closely with the Department of Homeland Security on the incident, the spokesperson said, declining to answer additional questions. A State Department spokesperson said, “We are aware that Microsoft is reaching out to agencies, both affected and unaffected, in the spirit of transparency.”

Microsoft disclosed in January that a Russian hacking group it calls Midnight Blizzard had accessed corporate email accounts and later warned that they were attempting to use secrets shared between the technology giant and its customers. The company has declined to identify the customers who were impacted.

“As our investigation continues, we have been reaching out to customers to notify them if they had corresponded with a Microsoft corporate email account that was accessed,” a Microsoft spokesperson said on Wednesday. “We will continue to coordinate, support and assist our customers in taking mitigating measures.”

In addition, the Department of Veterans Affairs was notified in March that it was impacted the Microsoft breach, officials for the agency said.

A one-second intrusion

The hackers used a single set of stolen credentials — found in the emails they accessed — to break into a test environment in the VA’s Microsoft Cloud account around January, the officials said, adding that the intrusion lasted for one second. Midnight Blizzard likely intended to check if the credentials were valid, presumably with the larger intention of breaching the VA’s network, the officials said. 

The agency changed the exposed credentials, along with log-in details across their Microsoft environments, once they were notified of the intrusion, they said. After reviewing the emails that the hackers accessed, the VA determined that no additional credentials or sensitive email was taken, the officials said.

Terrence Hayes, the VA’s press secretary, said an investigation is continuing to determine any additional impact.

The Peace Corps was also contacted by Microsoft and notified about the Midnight Blizzard breach, according to a statement from its press office. “Based on this notification, Peace Corps technical staff were able to mitigate the vulnerability,” according to the agency. The Peace Corps declined further comment.

Bloomberg News asked other federal agencies for comment, and none of the others disclosed that they were impacted by Midnight Blizzard’s attack on Microsoft. Bloomberg previously reported that more than a dozen Texas state agencies and public universities were exposed by the Russian hack.

Midnight Blizzard, also known in cybersecurity circles as “Cozy Bear” and “APT29,” is part of Russia’s foreign intelligence service, according to US and UK authorities. 

In April, US federal agencies were ordered to analyze emails, reset compromise passwords and work to secure Microsoft cloud accounts amid fears that Midnight Blizzard may have accessed correspondence. Microsoft has been notifying some customers in the months since then that their emails with the tech giant were accessed by the Russian hackers.

The Midnight Blizzard breach was one in a series of high-profile and damaging security failures at the Redmond, Washington-based technology company, which has drawn strong condemnation by the US government. Microsoft President Brad Smith appeared before Congress last month where he acknowledged security failures and vowed to improve the company’s operations.