Government agencies shared logins over email - what does it mean for our security?
If the top agencies in the US aren't following good cyber security practise, why should anyone else?
A cyber attack by Russian state-sponsored hacker, Midnight Blizzard revealed that some government agencies shared login credentials via email.
This extensive cyber attack shows in stark reality the importance of good cybersecurity practices, but also brings to light just how often they are neglected. Research has shown that 49% of Americans don't trust the federal government to protect their data, and with this shocking revelation, I can’t blame them.
What happened during the Midnight Blizzard attack?
The Midnight Blizzard cyber attack began in November 2023 and was eventually discovered in January 2024. In a filing with the Security and Exchange Commission about the attack, Microsoft explained that a Russian-state-backed hacker had "gained access to and exfiltrated information from a very small percentage of employee email accounts." The accounts accessed included those from its senior leadership team, as well as employees in its cybersecurity and legal departments.
In the filing, Microsoft stated that the hacker had "used and continues to use the information it obtained to gain, or attempt to gain, unauthorized access to some of the company’s source code repositories and internal systems," but had found no evidence of compromise in any of the customer-facing systems Microsoft hosts.
An investigation by Microsoft into the cybersecurity incident revealed that the hacker had gained unauthorized access via a "legacy non-production test tenant account."
Following the cyber attack, Microsoft said it would be overhauling its internal security practices
On April 11, the Cyber Security and Infrastructure Security Agency (CISA) issued an emergency directive regarding the hack, which explained that emails between Microsoft and some US government agencies were compromised during the hack.
Get daily insight, inspiration and deals in your inbox
Sign up for breaking news, reviews, opinion, top tech deals, and more.
The emergency directive went on to explain that some of the emails stolen by Midnight Blizzard during the cyber attack contained "authentication secrets, such as credentials or passwords." CISA called the hack and data exfiltration, a "grave and unacceptable risk to agencies."
Following the cyber attack, CISA has "strongly encouraged" FCEB agencies and state and local government to "apply stringent security measures, including strong passwords, multi-factor authentication (MFA) and prohibited sharing of unprotected sensitive information via unsecure channels," regardless of how heavily they were impacted by the attack against Microsoft. While the advice is warranted, it is (in my opinion) the very least these organizations should have already been doing to protect themselves against cyber attacks.
The Midnight Blizzard attack and cyber security
With the severity of the cyber attack and data exfiltration revealed, it raises some serious questions about attitudes towards cyber security. What does it say about attitudes to cyber security if government agencies in charge of matters of national security and importance aren’t practicing good cyber hygiene?
Unfortunately, cases like this data breach show all too well the importance of the cybersecurity hygiene steps we are told to take to protect ourselves and our businesses.
We all know not to take these cyber risks, yet how many of us do? There was an 108% increase in business email compromise attacks (BEC) from 2022 to 2023, meaning if any of these businesses were sharing sensitive information via email, these cyber attacks just got a lot more serious.
Olivia joined TechRadar in October 2023 as part of the core Future Tech Software team, and is the Commissioning Editor for Tech Software. With a background in cybersecurity, Olivia stays up-to-date with all things cyber and creates content across sites including TechRadar Pro, TechRadar, Tom’s Guide, iMore, Windows Central, PC Gamer and Games Radar. She is particularly interested in threat intelligence, detection and response, data security, fraud prevention and the ever-evolving threat landscape.