The cybersecurity breach that hit Microsoft in late 2023 also impacted the US Department of Veteran Affairs (VA), the US Agency for Global Media (USAGM), and the Peace Corps.
The comapony notified both organizations about the breach in March 2024, and has even warned USAGM that the attackers might have stolen some data from its servers. Security data, as well as personally identifiable information (PII), was probably not taken.
“As our investigation continues, we have been reaching out to customers to notify them if they had corresponded with a Microsoft corporate email account that was accessed,” Microsoft spokesperson Jeff Jones said to The Verge. “We will continue to coordinate, support, and assist our customers in taking mitigating measures.”
Midnight Blizzard
In late November 2023, Russian state-sponsored threat actors known as Midnight Blizzard (AKA Nobelium, or Cozy Bear) targeted Microsoft and managed to steal some sensitive information from certain highly-positioned individuals, including senior executives. It is not known exactly how many emails were accessed, but Microsoft did say that compromised accounts included those belonging to members of senior leadership and those working in cybersecurity and legal departments.
The attack was spotted on January 12, and Microsoft noted the subsequent changes in the approach to security might cause some disruptions.
At the time, the company noted how the attackers managed to compromise a legacy non-production test tenant account via a password spray attack.
The group used that access to gain access to “a very small percentage” of Microsoft corporate accounts, the company said.
“Some emails and attached documents” were stolen, Microsoft said, stating that the information was related to the Nobelium group. “To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems.”